Hide connection string in a hosting environment / no registry access
My hoster doesn't allow access to their registry so the published ways to encrypt connection strings won't work. Up to now, I just included the connection strings in the code behind, precompiled the web pages, and stored the customer data in a different database from the aspnetdb.mdf. I don't know if this really enhances security. And it would be fine to hide the connection to the membership data as well. Does anybody know a way to do this?
The .Net Framework supports encryption of connection strings in the app.config file. This replaces the need to use the registry.
I started trying with DpapiDataProtectionProvider 3 years ago but I tried again today. That works fine locally but it doesn't work on the server of my hosting provider. When I upload the encrypted config file, the host machine doesn't know what to do with the cypher. If I try to encrypt on the host machine, only part of the connectionStrings is encrypted (not the sensible parts), and the system stops recognizing any code in the config file. It seems to be a question of trust level, which is a hot subject for web hosters.