Step 1 Create an RSA keypair
aspnet_regiis -pc yourkey -exp
Step2 Export you key in XML file
aspnet_regiis -px yourkey keyfile.xml -pri
for each machines
Step3 Import your container
aspnet_regiis -pi yourkey keyfile.xml (see step 2)
for each machines
Step4 Edit machine.config (canonical path C:WindowsMicrosoft.NETFramework[64|32]v[Version]Config)
add in section configProtectedData this below element and set defaultProvider="YourProvider"
<add name="YourProvider"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
description="Uses RsaCryptoServiceProvider to encrypt and decrypt for my infrastucture"
keyContainerName="yourkey"
cspProviderName=""
useMachineContainer="true"
useOAEP="false" />
Then you can encrypt in a machine and paste in other, remember that must give privileges to users with
aspnet_regiis -pa yourkey [DOMAINUSER]
The administrators group is already authorized.
For more info http://msdn.microsoft.com/en-us/library/yxw286t2(v=vs.90).aspx
of course this steps you can put in a powershell/batch file
Another way for encrypt a connectionStrings section by code is
var connectionStrings = ConfigurationManager.GetSection("connectionStrings")
if(!section.SectionInformation.IsProtected)
connectionStrings.SectionInformation.ProtectSection("YourProvider");
In a connected and client/server scenario I propose you a solution that I have adopted in a wide network is of not distribute connection string in app.config but of require the connection's information at a service that can be an web service or a RESTful service after the user authentication.
In step more o less is thus
- Authenticate user
- Require connection info at service with username as parameter (HTTPS protocol)
- a service return connection string
- App it connect at DB
With this solution you can choose which server the user connects if you have regional server or more server
I hope be helpful
