Encrypted StorageConnectionString

Sep 13, 2016 at 2:41 AM
My preferred approach for configuration management is to encrypt the value of azure storage connection strings, using the private key from an x509 certificate that is only available to the Azure/Web Server or an appropriate resource who is encrypting the connection string.

This means the connection string is encrypted at rest, with all the security benefits this provides.

However, the current code for IdentityConfigurationSection doesn't support this approach, as it expects the StorageConnectionString value to be stored as plain-text.

Would you be interested in a patch that extends the IdentityConfigurationSection with the following attributes:
  • CertificateThumbprint (contains a thumbprint that identifies a certificate)
  • CertificateStore (My/User depending on certificate location)
Then based on a non-null/non-whitespace CertificateThumbprint value, the system then looks up the certificate using the values provided and uses this to decrypt the value in the StorageConnectionString to a plain-text value.

Let me know if you are interested.