Is web.config encryption pointless?

Question

Is web.config encryption pointless?

Today I read a blog ( http://somewebguy.wordpress.com/2009/07/20/is-encrypting-your-web-config-a-waste-of-time/ ) on how to encrypt appsettings / connectionstrings and etc. using the aspnet_regiis tool.

He has a follow-up post with some reviews from others saying this is a waste of time.

My question is: what do you think? Are you completely excited as soon as anyone gets physical access to your web.config files? Or is it worth taking precautions?

+4

.net asp.net web-config encryption

Kieran benton Jul 20 '09 at 12:12

source share

2 answers

You are as strong as your weakest part. Any measures you can take to improve security are good, although this is not what I am doing.

I share the opinion that if people got access to your web.configs, you probably have problems to worry about.

I always make sure that any db names / passwords stored internally have only datareader / datawriter in the site database.

One thing you can do is encrypt them as part of your deployment using a build tool like MSBuild, NAnt, Rake, etc. therefore, it is not much effort and therefore more likely to be taken by your team

+3

Andrew Bullock Jul 20 '09 at 12:24

source share

Andrew Hare · Accepted Answer · 2009-07-20T12:23:29+0000

I do not think this is pointless. If someone is really accessing your web server, yes, you have a lot of problems. Does this mean that you need to allow them to get the same access to your database / middle tier / application server?

Is web.config encryption pointless?

More articles: