Secure methods of storing keys, passwords for asp.net

What is the best practice for storing keys, and or passwords for a website. These keys are for various 3rd party web services. Is it best to have them in the Web.config file, or in the database, or encrypted somehow?


Assuming your database isn't accessible from the outside world or that you have it properly locked down that would be the preferred way to store the keys. This allows all of your applications to pull from the same store of keys/passwords making changes very quick and easy.


You can store the encrypted values in the .config file, and ASP.NET 2.0 will decrypt them on the fly.

Your configuration would look something like:

<configSections>
   <section 
      name="sampleSection" 
      type="System.Configuration.SingleTagSectionHandler" 
   />
</configSections>

<MySecrets
   FavoriteMusic="Disco" 
   FavoriteLanguage="COBOL" 
   DreamJob="Dancing in the opening ceremonies of the Olympics" 
/>

and then you run the following from a command line, in the same directory as your config file:

aspnet_regiis -pef MySecrets .

From K. Scott Allen:

http://odetocode.com/Blogs/scott/archive/2006/01/08/2707.aspx


Depends on how often the values change. If they will never change then I would keep them in your source code.

I would stay away from storing data that changes in the Web.Config because changing it forces a restart of the App pool.

My vote would be to store them, encrypted, in the database and provide an easy way for the values to be changed (eg store values in the cache and refresh them when they are altered by a user).

链接地址: http://www.djcxy.com/p/21528.html

上一篇: 你将如何在Tomcat 5.5中实现咸味密码

下一篇: 存储密钥的安全方法,用于asp.net的密码