Secure Sitecore ConnectionStrings using aspnet_regiis (see https://grantkillian.wordpress.com/2017/08/29/encrypting-sitecore-connection-strings-for-sitecore-commerce-azure-sql-and-beyond/ for more context)
<# | |
Note: | |
- The encyption is specific to each server, so this needs to be run separately on every IIS server | |
- ASPNet_RegIIS requires a web.config file to operate, so we have to massage our Sitecore .config into a web.config format it will understand | |
Steps: | |
1) Copy current Connectionstrings.config to a file named "web.config" | |
2) insert <configuration> node surrounding the <connectionStrings> XML | |
3) run this new web.config file through aspNet_RegIIS... | |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pef "connectionStrings" "S:\Sitecore\TEST-CMS\website\App_Config" | |
4) take the contents of the -- now encrypted -- web.config file and pull the information within the | |
<connectionStrings>...</connectionStrings> nodes and overwrite what's currently in connectionStrings.config | |
#> | |
$configLocation = "S:\Sitecore\website\App_Config" | |
#this is here only in case you want a back-up, but don't blindly leave a back-up around or it defeats the purpose of encrypting | |
#Copy-Item -Path ($configLocation + "\connectionStrings.config") -Destination ($configLocation + "\connectionStrings.PlainText.backup") | |
Copy-Item -Path ($configLocation + "\connectionStrings.config") -Destination ($configLocation + "\web.config") | |
$plainConnectionStrings = Get-Content ($configLocation + "\web.config") | |
$plainConnectionStrings.replace('</connectionStrings>', '</connectionStrings></configuration>') | Set-Content ($configLocation + "\web.config") | |
$plainConnectionStrings = Get-Content ($configLocation + "\web.config") | |
$plainConnectionStrings.replace('<connectionStrings>', '<configuration><connectionStrings>') | Set-Content ($configLocation + "\web.config") | |
#Encrypt | |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pef "connectionStrings" $configLocation | |
$encryptedString = Get-Content ($configLocation + "\web.config") | |
$encryptedString.replace('</connectionStrings></configuration>', '</connectionStrings>') | Set-Content ($configLocation + "\web.config") | |
$encryptedString = Get-Content ($configLocation + "\web.config") | |
$encryptedString.replace('<configuration><connectionStrings', '<connectionStrings') | Set-Content ($configLocation + "\web.config") | |
#this is now our XML to inject into the Sitecore connectionStrings.config | |
$encryptedString = Get-Content ($configLocation + "\web.config") | |
Clear-Content -Path ($configLocation + "\connectionStrings.config") | |
Set-Content -Path ($configLocation + "\connectionStrings.config") -Value $encryptedString | |
Remove-Item ($configLocation + "\web.config") | |
Write-Host "$configLocation\webconnectionStrings.config is now encrypted" -ForegroundColor Magenta | |
######################################################################## | |
# to un-encrypt, run the following from the machine that performed the encryption. ConnectionStrings will be revealed in plain text in a new web.config file | |
<# | |
$configLocation = "S:\Sitecore\website\App_Config" | |
Copy-Item -Path ($configLocation + "\connectionStrings.config") -Destination ($configLocation + "\web.config") | |
$plainConnectionStrings = Get-Content ($configLocation + "\web.config") | |
$plainConnectionStrings.replace('</connectionStrings>', '</connectionStrings></configuration>') | Set-Content ($configLocation + "\web.config") | |
$plainConnectionStrings = Get-Content ($configLocation + "\web.config") | |
$plainConnectionStrings.replace('<connectionStrings', '<configuration><connectionStrings') | Set-Content ($configLocation + "\web.config") | |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -pdf "connectionStrings" $configLocation | |
Write-Host "Check $configLocation\web.config for the plain text configuration" -ForegroundColor Magenta | |
#> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment