2

I have come across this excellent blog explaining how to encrypt/decrypt the database connection string with a PKCS12ProtectedConfigurationProvider inside Azure Cloud.

http://social.technet.microsoft.com/wiki/contents/articles/sql-azure-connection-security.aspx#create_aspnet

Is this something that should be done, or is it rather security overkill?

If Web.config cannot be accessed from internet due IIS restrictions, nobody would be able to read the DB connection string (incl. password etc) inside the Web.config anyway, so why bother to encrypt it in first place?

Many Thanks,

Houman
  • 64,245
  • 87
  • 278
  • 460

1 Answers1

4

I think it is the same argument as when considering encrypting connection strings outside Windows Azure, which is - who has access to the box.

I have been talking to organisations who had several people with access to the box, which would allow them to see the web.config and extract the credentials for the databases, in places where you don't want system administrators/developers/etc accessing your database, this makes sense.

If you are the only one with access to the instance or if that is not a concern of yours, you don't have to worry about it

Yossi Dahan
  • 5,389
  • 2
  • 28
  • 50
  • Very good. This was exactly my thought. Indeed I am the only one having access to the instance. But there are times when I am stuck with something and Microsoft support asks for Remote Desktop details of the instance. In this case if its not secured, the security might be compromised. Thank you for clarifying this for me. – Houman Dec 04 '11 at 20:09