Protect the connection string passwords from unauthorized access


How to use the ASP.NET IIS regstration tool to encrypt sensitive Sitecore passwords from unauthorized access.

Applies to

All Core roles and XP Service roles except xConnect Search Indexer, Sitecore Cortex™ Blob Storage service, and Sitecore Cortex™ Table Storage service.


This procedure is only compatible with Sitecore 9.2 and earlier versions. If you want to encrypt the connection strings on Sitecore 9.3 or later versions or experience any issues with the Microsoft (R) ASP.NET RegIIS library, we recommend that you contact Microsoft support.

Sitecore stores passwords in the App_Config\ConnectionStrings.config file. We recommend that you encrypt this file to prevent the passwords from being exposed if the file is accessed without authorization.

To protect connection string passwords:

  1. Locate the ASP.NET IIS registration tool (aspnet_regiis) by executing the following PowerShell command:

    Get-ChildItem C:\Windows\\ -Recurse aspnet_regiis.exe | select FullName

    The command probably finds several versions of the tool. You must select the latest version:

  2. Use the aspnet_regiis tool with the -pef option to encrypt the connection strings:

    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pef "connectionStrings" "C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER"


    Do not end the path to your website folder with a backslash (for example, C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER\) because this makes the aspnet_regiis tool fail.

If you want to decrypt the passwords, you can repeat the PowerShell command with the -pef option changed to -pdf:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pdf "connectionStrings" "C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER"

You must separately encrypt the connectionStrings.config file on each computer that you install Sitecore on. For more information on the aspnet_regiis tool, see Microsoft documentation on the ASP.NET IIS Registration Tool.