Protect the connection string passwords from unauthorized access

Version: 10.4
Warning

This document should be used only for SXP 9.0 and above. For SXP 8.X, please use Security considerations.

Sitecore stores passwords in the App_Config\ConnectionStrings.config file. We recommend that you encrypt this file to prevent the passwords from being exposed if the file is accessed without authorization.

This topic applies to all Core roles and XP Service roles except xConnect Search Indexer and the Sitecore Cortex Processing service.

Important

If you want to encrypt the connection strings on Sitecore 9.3 or later or experience any issues with the Microsoft ASP.NET Core, an open-source web development framework .NET RegIIS library, please apply a solution described in the known issue KB0253614.

To protect connection string passwords:

  1. Locate the ASP.NET IIS registration tool (aspnet_regiis) by executing the following PowerShell command:

    RequestResponse
    Get-ChildItem C:\Windows\Microsoft.net\ -Recurse aspnet_regiis.exe | select FullName

    The command probably finds several versions of the tool. You must select the latest version:

    RequestResponse
    FullName
--------
C:\Windows\Microsoft.net\Framework\v2.0.50727\aspnet_regiis.exe
C:\Windows\Microsoft.net\Framework\v4.0.30319\aspnet_regiis.exe
C:\Windows\Microsoft.net\Framework64\v2.0.50727\aspnet_regiis.exe
C:\Windows\Microsoft.net\Framework64\v4.0.30319\aspnet_regiis.exe

  2. Use the aspnet_regiis tool with the -pef option to encrypt the connection strings:

    RequestResponse
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pef "connectionStrings" "C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER"
    Important

    You must not end the path to your website folder with a backslash (for example, C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER\) because this makes the aspnet_regiis tool fail.

If you want to decrypt the passwords, you can repeat the PowerShell command with the -pef option changed to -pdf:

RequestResponse
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pdf "connectionStrings" "C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER"

You must separately encrypt the connectionStrings.config file on each computer that you install Sitecore on. For more information on the aspnet_regiis tool, see Microsoft documentation on the ASP.NET IIS Registration Tool.

Encrypt the connectionstrings.config file in an Azure PAAS app service environment

In an Azure PaaS App Service environment, you can protect connection string values by moving the raw connection string values to Environment variables, under the Connection strings section.

To secure connection strings in PAAS deployments using Kudu:

  1. Go to App Service, Development Tools, and click Advanced Tools.

    Open Kudu

  2. Click Debug console, Powershell, navigate to site/wwwroot/App_config and open the ConnectionStrings.config file.

    Open Debug console

  3. In the ConnectionStrings.config file, cut the values from the database connection strings and click Save. For example, remove the values for core, master, security, and web:

    Remove the values

  4. Open the App Service and navigate to Settings, select Environment variables, and then select Connection strings . Click New connection string, add connection strings for all the databases that you want and click OK.

  5. Click Save to apply the changes.

Do you have some feedback for us?

If you have suggestions for improving this article,