Sitecore: Encrypt Connection Strings in App_Config

One of our clients asked to encrypt the connection strings that used for Sitecore. The reason is if someone compromised the CD servers in the DMZ, they will not find any plain text credentials.

You can achive this by using ASP.NET IIS Registration Tool to encrypt/decrypt the connections strings. If you encrypt the connection strings with IIS registration tool you dont need to worry about the decryption, IIS will handle it automaticly for you.

-pef : Encrypts the specified configuration section of the Web.config file in the specified physical (not virtual) directory. more details

Encryption:

To encrypt your connection string, open cmd and copy the following command:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pef "connectionStrings" "C:\inetpub\wwwroot\SitecoreSite\Website"

alt

You might face the following errors:

  • The configuration section 'connection' was not found:
    The fix is pass the root folder of your site in the command.

  • Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider:
    The fix is if you are using RsaProtectedConfigurationProvider you need to launch your Command prompt or Visual Studio as an Administrator. For DataProtectionConfigurationProvider it is not required to run under Admin rights.

*Note: The path of the aspnet_regiis.exe depends on the installed .Net framework. The tool is located in: %windows%\Microsoft.NET\Framework\versionNumber


Decryption:

If you want to encrypt your connection strings, you can use the following command:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf "connectionStrings" "C:\inetpub\wwwroot\SitecoreSite\Website"

alt

Automated:

You can save the encrypt/decrypt commands in bat files, and start encrypting/decrypting the connection strings on the fly.