Best way to store a database password in a startup script / config file?
The best way to secure your password is to stop using one. Use a trusted connection:How To: Connect to SQL Server Using Windows Authentication in ASP.NET 2.0. Then you have nothing to hide - publish your web.config and source to the world, they still can't hit your database.
If that won't work for you, use the built in configuration encryption system in ASP.NET.
PostgreSQL offers a nice solution for this kind of situation in their documentation. Essentially, you use ssh to bridge a port on your machine to the PostgreSQL server port on the remote machine. This has three stages of authentication:
- Restrict access to the local port, such as only letting a particular user connect to it.
- Set up password-less connection to the PostgreSQL host with ssh as a particular user.
- Allow the user ssh connects as to have local access to PostgreSQL without a password.
This reduces the security to whether your user accounts are secured and your ssh configuration is sound, and you have no need of a password stored anywhere.
Edit: I should add that this will work with any database that listens to a TCP/IP port. It just happens to be described in PostgreSQL. And you will want iptables (or the equivalent off Linux) to do the port restrictions. See this.
I agree with lomaxx: if somebody is already on the server or has wide ranging access to it (like a sysadmin), the game is pretty much over. So the idea would be to use a server you trust that it is secure to the degree you want it to be. Specifically:
- You need to trust the sysadmins
- You need to trust anybody else who is running code on the same server (this is why shared hosting is a big no-no for me)
Beyond that, environment variables seem to be a popular choice for storing these types of credentials, because this means that access to the source only (for example by compromising the dev box) doesn't reveal it directly and also it can be nicely localized for each server (dev, test, etc).