doud.appsettings.connectionstring.encryption 0.7.0-alpha

AesEncryptionSolution

The AesEncryptionSolution is a project with the goal of providing security for connection strings in the appsettings.json of Microsoft WebApi projects when projects are uploaded to any cloud server either as source or executable. It accomplishes this by using AES encryption to encrypt any or all of the connection strings contained in the appsettings.json. When the application runs, the encrypted connection string is dynamically decrypted just as it is passed to connect to the SQL database.

AES encryption requires a 32-byte key (Key) and a 16-byte initialization vector (IV). There are default values for these two keys built into the program but it is recommended to create the security.txt file and enter custom values for key and iv. These values will override the default values.

Installation

To use the AesEncryptionSolution, in your Visual Studio project, start by installing the current version of the NuGet package using with the NuGet Package Manager for Solutions or at the Package Manager Console:

doud.appsettings.connectionstring.encryption

Add the following using statement to permit calling the extension method to decrypt the encryupted connection string being passed to the SQL database.

using Doud.Appsettings.ExtensionMethods;

Create the secret.txt file in the same folder as the appsettings.json file. The key requires 32 3 digit integers and the iv required 16 3 digits integer values. It is recommended that the values are as random as possible but all must be between 0 and 255.

key=001002003...
iv=001002003...

using in WebApi project

Start by using the EncryptSettings tool to encrypt the connections strings within the appsettings.json.

Change directory to the project's root folder then execute:

EncryptSettings --security [filepath] --keys AAAA,BBBB,CCCC,...

Do not put any blanks between the key values.

Where AAAA, BBBB, CCCC, etc., are the key names of the connection strings within the appsettings.json file. Only the keys provided will have their connection strings encrypted.

The connection strings are encrypted in the appsettings.json file.

To decrypt the encrypted connection strings, use the EncryptSettings tool and execute:

EncryptSettings --security [filepath] --keys AAAA,BBBB,CCCC,... --decrypt

The --security key points to the file that contains the path to the file containing the key and IV values.

The --keys key points to the list of connection string keys that should be encrypted or decrypted in the appsettings.json.

The --decrypt key causes the program to decrypt the selected keys. If this key does not exist, the connection strings will be encrypted.

This will decrypt any of the connection strings.

Note: The EncryptSettings will decrypt a connection string that has not been decrypted. Run the decrypt option ONLY on encrypted connection strings!

In the Program.cs using the builder, simply add .Decrypt() after calling GetConnectionString().

builder.Services.AddDbContext<AppDbContext>(x => {
	var asec = new AesSecurity("security.txt");
	x.UseSqlServer(builder.Configuration.GetConnectionString("ProdDb")!.Decrypt(asec));
});

Using the Decrypt() method, the encrypted connection string returned by GetConnectionString() will be decrypted and passed to the database. It is done dynamically and not stored in any application variable and so it limits the possibility of discovery.

security.txt file

The security.txt file is in text format with only two key: key and iv. Both of these keys point to a array of 3 digit integers.

The key key requires an array of exactly 32 integers with values between 0 and 255 (inclusive).

The iv key requires an array of exactly 16 integers with values between 0 and 255 (inclusive).