0

What is the proper way to manage DB connection strings/credentials in a .NET 4/IIS 7 environment? I have a simple development lifecycle, DEV -> TEST -> PROD. I have a sqlexpress DB on my local machine for DEV, a copy of SQL Server 2008 for TEST and another Sql Server 2008 install for PROD.

I'd prefer not to use integrated security. Also, I'd prefer to NOT deploy my credentials or connection string in my web.config file. What's the solution to simplifying the deploy process in a safe and secure manner?

GregB
  • 5,465
  • 5
  • 23
  • 35

2 Answers2

1

One thing you could do is encrypt the connection string with credentials and store it in the central web.config file on the server so that you don't have to worry about it when deploying. Then locally, on test and on production, the connection string would be available when the app is deployed but handled outside the standard deployment process. Naturally, you would want to use the same connection string name in each location to minimize differences in configuration between environments. I have used this process before and it worked out quite well.

Adam Carr
  • 2,986
  • 7
  • 31
  • 38
  • The only note I'd like to make is that I added web.config transforms to remove the connection strings when I build for my TEST and PROD environments so that there's no risk of any connection strings being included in the build. – GregB Jun 23 '11 at 04:43
  • Yes, with this method, there is no need for the connection strings in your application's web.config. Good solution using the transforms. I have always just modified the development PC central web.config. – Adam Carr Jun 23 '11 at 13:46
1

Have a look here.

From ASP.NET 2.0 it provides a feature, called protected configuration, that enables you to encrypt sensitive information in a configuration file. Although primarily designed for ASP.NET, protected configuration can also be used to encrypt configuration file sections in Windows applications. For a detailed description of the new protected configuration capabilities, see Encrypting Configuration Information Using Protected Configuration.

CharithJ
  • 46,289
  • 20
  • 116
  • 131