问题
I have come across this excellent blog explaining how to encrypt/decrypt the database connection string with a PKCS12ProtectedConfigurationProvider inside Azure Cloud.
http://social.technet.microsoft.com/wiki/contents/articles/sql-azure-connection-security.aspx#create_aspnet
Is this something that should be done, or is it rather security overkill?
If Web.config cannot be accessed from internet due IIS restrictions, nobody would be able to read the DB connection string (incl. password etc) inside the Web.config anyway, so why bother to encrypt it in first place?
Many Thanks,
回答1:
I think it is the same argument as when considering encrypting connection strings outside Windows Azure, which is - who has access to the box.
I have been talking to organisations who had several people with access to the box, which would allow them to see the web.config and extract the credentials for the databases, in places where you don't want system administrators/developers/etc accessing your database, this makes sense.
If you are the only one with access to the instance or if that is not a concern of yours, you don't have to worry about it
来源:https://stackoverflow.com/questions/8376264/shall-the-db-connectionstring-within-web-config-be-encrypted-when-using-azure-cl