Question

Hi,

We currently use the connectionstring approach of DO to connect to the DB. This has a severe security setback as the password which is used to connect is readable in the connectionstring.

How can we protect the password in the connectionstring?

Regards
Paul Sinnema
Diartis AG

Accepted Answer

0	According to the community feedback on this proposal, it is implemented in the stable branch and will be available soon. answered Jan 24 '11 at 05:58 Dmitri Maximov 2211●1●2●11

Answer 2

1

Hello Paul,

I believe that DataObjects.Net as well as any other ORM is not responsible for securing connection strings, however I might be wrong. Nevertheless, I'd try the following approach:

1. Encrypt the required connection string with encryption method you prefer and put it in web.config/app.config file in encrypted form.

2. Load DomainConfiguration through standard API:

var config = DomainConfiguration.Load("mydomain");

3. Set config.ConnectionInfo property with decrypted connection string

config.ConnectionInfo = new ConnectionInfo("sqlserver",
  DecryptMyConnectionString(encryptedConnectionString));

4. Build Domain with the config.

P.S.
I suppose that the standard ASP.NET approach will also work.

answered Jan 05 '11 at 09:59

Dmitri Maximov
2211●1●2●11

edited Jan 05 '11 at 10:03

Hi Dmitri,

We've written a little program that reads the entire App.config and looks for the connectionstring in the domain tag. Using encryption we de-/encrypt the connectionstring. When it is encrypted it is surrounded by '{}' when not it is not surrounded. In our program we test the connectionstring for starting with '{' and ending with '}' and decrypt when needed. This way our application is capable of working with both en- and decrypted connectionsstrings. Super!

(Jan 11 '11 at 02:34) Paul Sinnema

I don't completely agree with you concerning:

'I believe that DataObjects.Net as well as any other ORM is not responsible for securing connection strings'

When one uses the standard connectionstring there is functionality in the Configuration that can un-/lock a connectionstring. That makes en-/decrypting quite easy. Because the connectionstring is in a custom DO tag we can not use this functionality. What I would expect of DO is an easy read/write access to the connectionstring.

(Jan 11 '11 at 02:37) Paul Sinnema

But there is nothing preventing you from getting encryptedConnectionString on step 3 from standard configuration section.

I.e.:

var config = DomainConfiguration.Load("mydomain");
var connectionString = ...; // Read it by any way you like
config.ConnectionInfo = new ConnectionInfo(
  "sqlserver", connectionString);
...

(Jan 11 '11 at 03:42) Alex Yakunin

Hello Paul, please take a look at this idea, we need your feedback.

(Jan 13 '11 at 21:47) Dmitri Maximov

DataObjects.Net 4.3.7 & 4.4 beta 2 with this feature is released.

(Jan 29 '11 at 04:23) Dmitri Maximov

Subscription:

Related questions