Protect the connection string passwords from unauthorized access
Sitecore stores passwords in the App_Config\ConnectionStrings.config
file. We recommend that you encrypt this file to prevent the passwords from being exposed if the file is accessed without authorization.
This topic applies to all Core roles and XP Service roles except xConnect Search Indexer, Sitecore Cortex™ Blob Storage service, and Sitecore Cortex™ Table Storage service.
This procedure is only compatible with Sitecore 9.2 and earlier. If you want to encrypt the connection strings on Sitecore 9.3 or later or experience any issues with the Microsoft ASP.NET RegIIS library, we recommend that you contact Microsoft.
To protect connection string passwords:
-
Locate the ASP.NET IIS registration tool (
aspnet_regiis
) by executing the following PowerShell command:RequestResponseGet-ChildItem C:\Windows\Microsoft.net\ -Recurse aspnet_regiis.exe | select FullName
The command probably finds several versions of the tool. You must select the latest version:
RequestResponseFullName -------- C:\Windows\Microsoft.net\Framework\v2.0.50727\aspnet_regiis.exe C:\Windows\Microsoft.net\Framework\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.net\Framework64\v2.0.50727\aspnet_regiis.exe C:\Windows\Microsoft.net\Framework64\v4.0.30319\aspnet_regiis.exe
-
Use the
aspnet_regiis
tool with the-pef
option to encrypt the connection strings:RequestResponseC:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pef "connectionStrings" "C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER"
ImportantYou must not end the path to your website folder with a backslash (for example,
C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER\
) because this makes theaspnet_regiis
tool fail.
If you want to decrypt the passwords, you can repeat the PowerShell command with the -pef
option changed to -pdf
:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pdf "connectionStrings" "C:\inetpub\wwwroot\YOUR_WEBSITE_FOLDER"
You must separately encrypt the connectionStrings.config
file on each computer that you install Sitecore on. For more information on the aspnet_regiis
tool, see Microsoft documentation on the ASP.NET IIS Registration Tool.
Encrypt the connectionstrings.config file in an Azure PAAS app service environment
In a PaaS environment, you can protect your connection strings values by moving the raw connection string value to to the AppService connection string section.
To secure connection strings in PAAS deployments using Kudu:
-
Go to App Service, Development Tools, and click Advanced Tools.
-
Click Debug console, Powershell, navigate to
site/wwwroot/App_config
and open theConnectionStrings.config
file. -
In the
ConnectionStrings.config
file, cut the values from the database connection strings and click Save. For example, remove the values for core, master, security, and web: -
Open the App Service and navigate to Settings, Configuration, and then in the Connection strings section, click New connection string. Add connection strings for all the databases that you want and click OK.
-
Click Save to apply the changes.