Hello,

I have a DASP website that I'm putting together. I want to be able to encrypt some strings in the database (customer email addresses and other personal details).

I've looked around and found a few links to tutorials on using AES, DPAPI etc., but have to admit that I am novice with encryption and got a bit lost. I came to these forums looking for some example code and got even more lost when I saw a few posts saying that there are some issues with using shared hosting (such as DASP) and some of these encryption methods due to problems with admin access requirements etc.

I don't want to spend lots of time making something work on my test machine, only to find that I can't deploy it to my DASP-hosted production site.

Can anyone out there who has implemented something similar give me some "for dummies" instructions on how to implement a suitable solution that encrypts data in the database but is as secure as possible in terms of hiding keys from potential hackers etc.? I am under the impression that AES/Rjindael encryption is the best to go for, but I am open to any suggestions. Example code would be a great help, especially if you know it works in the DASP hosting environment.

Thanks very much..

Unless you are going to host your site outside of Discountasp network there really is no need to encrypt the connection string on the web.config file. This is because the SQL server and web server are on the same network. So any connection string being passed between the two servers will not go out into the Internet. But if you truly want to encrypt your connection string this kb article maybe useful to you.

http://support.discountasp.net/KB/a339/how-to-encrypt-configuration-sections-your-webconfig.aspx

Hi.

Thanks for the reply. Unfortunately it doesn't answer my question as I'm not concerned about encrypting my connection strings at the moment. My issue
is that I have some data protection requirements that state that certain data must be encrypted before being stored in the database (e.g. Customer name, address, dob, credit card number etc). I intend to do this using some "encrypt string" method (with a corresponding "decrypt string" method for displaying retrieved data). Please note that i'm aware of the debate on whether it is a good idea to store things like credit card details - this is a customer requirement that can't be altered so I would prefer this thread not to add to that debate if possible..

I had assumed that using something like AES or the Microsoft application block would be the best way to go. However I saw a few posts on these boards stating that there were issues deploying some of these on DASP due to the privileges they needed etc. I guess all I'm asking for is some advice (and hopefully example code) on how I can achieve this in a way that will work with a DASP hosted account.

Thanks again..

...See if this helps:
http://blogs.msdn.com/lcris/archive/2005/06/09/427523.aspx
All the best,
Mark

Hi,

Thanks for the reply. That looks like an interesting way if doing things but were using OR mapping with nhibernate and spring, so my plan was always to do the encryption in code using c# rather than in SQL - so I don't think this is of any use to me in this instance.

There are plenty of code samples out there showing how to encrypt strings using c# utility classes. The things I'm not sure about are:

1. Which is the best encryption algorithm to use?
2. Where should I store my keys?
3. What combination of points 1 and 2 above are supported by discount asp.net given the limitations in terms of security and access associated with shared hosting?

The ideal solution for me would be for someone out there who uses DASP and who has already done something similar to give me some example code, or for DASP to provide me with a supported encryption solution that they know will wirk in their hosting environment.

Thanks again guys, we'll get there in the end..!

...I'll check with some of my Microsoft partners.
Q: What you need is the ability to both encrypt and decrypt table records via code pages?
All the best,
Mark

...I'll check with some of my Microsoft partners.
Q: What you need is the ability to both encrypt and decrypt table records via code pages?
All the best,
Mark

Yes. I want to encrypt and decrypt properties on a person object before/after they are persisted in a sql2005 db. This would be done by a utility class that I could reuse elsewhere.