Sitecore Encrypt Connection Strings in App_Config

One of our clients asked to encrypt the connection strings that used for Sitecore. The reason is if someone compromised the CD servers in the DMZ, they will not find any plain text credentials for SQL users.

You can achieve this by using ASP.NET IIS Registration Tool to encrypt/decrypt the connections strings. If you encrypt the connection strings with the IIS registration tool you don't need to worry about the decryption, IIS will handle it automatically for you.

-pef : Encrypts the specified configuration section of the Web.config file in the specified physical (not virtual) directory. more details


Encryption:

To encrypt your connection string, open cmd and copy the following command:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pef "connectionStrings" "C:\inetpub\wwwroot\SitecoreSite\Website"

You might face the following errors:

  • The configuration section 'connection' was not found:
    The fix is pass the root folder of your site in the command.
  • Failed to encrypt the section 'connectionStrings' using provider 'RsaProtectedConfigurationProvider:
    The fix is if you are using RsaProtectedConfigurationProvider you need to launch your Command prompt or Visual Studio as an Administrator. For DataProtectionConfigurationProvider it is not required to run under Admin rights.

*Note: The path of the aspnet_regiis.exe depends on the installed .Net framework. The tool is located in: %windows%\Microsoft.NET\Framework\versionNumber


Decryption:

If you want to encrypt your connection strings, you can use the following command:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pdf "connectionStrings" "C:\inetpub\wwwroot\SitecoreSite\Website"

Automated:

You can save the encrypt/decrypt commands in bat files, and start encrypting/decrypting the connection strings on the fly.