Hi

Is it possible to encrypt the storage connection strings in cscfg file.

I know how to encrypt web.config connection strings. I want to know if the same can be done in cscfg files

Thanks

Manu

 

I believe you can do it.

You could create a cetificate, encrypt the setting with the cert, upload the cert via the Windows Azure portal so your role instance can access it, and then at runtime decrypt using the same cert.

(That's pretty much the same way people achieve web.config encryption.)

Thanks

The solution you describe is manual. Is there a way to protect the strings without all this heavy lifting?

In web.config you can do that. (aspnet_regiis or system.configuration.configSection API)

Is there a way to protect the connection strings using the Infrastructure?

Manu

 

To encrypt locally and then decrypt in the cloud, you need a certificate on both sides... web.config encryption in Windows Azure isn't any more straightforward (though there's a Codeplex project out there to help).

I think this is the Codeplex project Steve mentions.

This codeplex project deals with encrypting web.config. Will it work on cscfg file?

Manu

No.  I was just pointing out that web.config isn't any more straightforward.

• Marked as answer by manukahn Thursday, December 23, 2010 7:18 AM

No.  I was just pointing out that web.config isn't any more straightforward.

• Marked as answer by manukahn Thursday, December 23, 2010 7:18 AM

Proper solution is yet to come. Azure team itself had to come up with a solution while storing Remote Desktop Credentials. What they did was to add two settings: 1 for the encrypted data and 1 for certificate thumbprint. During runtime, they use the thumbprint to fetch certificate (which was uploaded in a secure way) to decrypt the credentials.

I've placed a feature request at Azure's Feedback website: http://feedback.azure.com/forums/34192--general-feedback/suggestions/9025255-certificate-based-settings-encryption

In my company, we decided to store settings as strings with the following pattern:

      <Setting name="MySecret" value="CertThumb:5813C4...842B2|EncryptedData:QmFzZTY0IGlzIGEgZ2VuZXJpYyB0Z..." />

The utility class detects "CertThumb" header and decrypts data keyed by "EncryptedData". If "CertThumb" is not present, it returns whole content of 'value' attribute.

We have a command line utility which performs back-forth encryption of .cscfg files thus inspection is a breeze.

I'll probably open source that at some point...