Data Access Application Block Encrypted ConnectionString Password

Topics: Cryptography Application Block, Data Access Application Block
Apr 29, 2008 at 3:03 PM
Edited Apr 29, 2008 at 3:07 PM
In my Organization there's a security Policy rule which do not allow uploading to Production any file which holds the database password.
In order to Integrate entlib Data Access Application Block to our Web Application I had to encrypt the password in the ConnectionString (not the whole string).

I did the following changes:

1. in application's Web.Config:
<add key="EncryptPassword" value="true"/>

2. added reference Microsoft.Practices.EnterpriseLibrary.Security.Cryptography.dll to Entlib Data Access Application Block\Data Project

in In Data Project --> Database.cs:
3. added this using:
using Microsoft.Practices.EnterpriseLibrary.Security.Cryptography;

4. added a bool param that gets its value from Web.Config:
private readonly bool EncryptPassword = Convert.ToBoolean(ConfigurationManager.AppSettings"EncryptPassword");

5. added const holds the encryption provider (can be readed from .config too)
private const string symmProvider = "symprovider";

6. I changed the ConnectionString Property to:

public string ConnectionString
return EncryptPassword ? DecryptConnecrionString(connectionString.ToString()) : connectionString.ToString();

7. I wrote this function:

/// <summary>
/// Decrypt ConnecrionString
/// </summary>
/// <param name="connString"></param>
/// <returns></returns>
private static string DecryptConnecrionString(string connString)
if (string.IsNullOrEmpty(connString))
throw new Exception("connectionString to Decrypt is empty");

// separate individual items between semicolon
var semicolonDelimited = connString.Split(new[] { ';' });

var sb = new StringBuilder();

foreach (var s in semicolonDelimited)
if (s.IndexOf("Password") == -1)

var decript = s.Replace("Password=", string.Empty).Trim();
//append decrypted string
sb.Append(Cryptographer.DecryptSymmetric(symmProvider, decript));

return sb.ToString().Substring(0, sb.ToString().Length - 1);

If the EncryptPassword value is set to false the everything works exactly like before all changes.
If EncryptPassword ==true so your connectionsstring should look like this:

<add name="CONNNAME" connectionString="Data Source=YOURSERVER;Initial Catalog=DBNAME;Persist Security Info=True;User ID=USERHERE;Password=LvbloDhvnAIJ2Fstki007IaBLnkS1aBGBt64PXXQR8U=;" providerName="System.Data.SqlClient"/>

It works perfect for me but I would like to know if there's a better way to perform the encryption?

Shay Jacoby.
Apr 30, 2008 at 3:24 AM
Doesn't Entlib automatically handle encrypting the entire DAAB section for you via the built in GUI?

If you select the "Data Access Application Block" node (default) in the configuration tool and select a ProtectionProvider it should automagically encrypt the entire config section, and automatically decrypt at runtime.

I use this feature a lot as it allows me to edit configuration using the friendly GUI without remembering to encrypt/decrypt and without custom code to do so.

In fact, I developed a custom application block with entlib config tool support specifically to get this easy automatic encryption/decryption of sections.