Encrypt app.config for Windows App using Enterprise Library

Topics: Data Access Application Block, Enterprise Library Core
Jan 22, 2008 at 7:26 AM
I am using Enterprise library v3.1 for developing a windows application. its working well.
but there is a security issue, when i deploy this application on client machine the applicationname.exe.config contains connectionString and other secure information. My question is how I can secure applicationname.exe.config file so that anyone could not open it.

I have tried encryption of Data Access Application Block (with both providers RSA & DPAPI) using enterprise library configuration tool. but when I deploy on client machine it gives these errors:

System.Configuration.ConfigurationErrorsException: Failed to decrypt using provider 'RsaProtectedConfigurationProvider'. Error message from the provider: The RSA key container could not
be opened. (C:\Program Files\Tesst APP\Test APP.exe.config line 30) --->

System.Configuration.ConfigurationErrorsException: The RSA key container could not be opened.
System.Configuration.ConfigurationErrorsException: Failed to decrypt using provider 'DataProtectionConfigurationProvider'. Error message from the provider: Key not valid for use in specified state. (Exception from HRESULT: 0x8009000B) (C:\Program Files\Test APP\Test APP.exe.config line 17) ---> System.Runtime.InteropServices.COMException (0x8009000B): Key not valid for use in specified state. (Exception from HRESULT: 0x8009000B).

Also app.config contains
<machineKey validationKey="somevalue" decryptionKey="somevalue" validation="SHA1" />
I want it should be also encrypted.

I will be very thankful for any help.
Jan 22, 2008 at 8:37 PM
Hi,

You can use the built in configuration encryption support available with the .NET framework (see http://msdn2.microsoft.com/en-us/library/ms998280.aspx, and additional information in the EntLib help file for details on how to deal with key containers).

Now, this won't make your configuration completely secure; anyone who can use the app can read the configuration with little more than a console application.

Fernando
Jan 23, 2008 at 4:49 AM
Thanks Fernando

So Please can anybody tell me what is the best practice for securing the app.config?