Encrypting app.config connection string

Topics: Cryptography Application Block, Data Access Application Block
Dec 28, 2011 at 2:09 PM

Dear all please advise me how can i encrypt and decrypt connection string in app.config. i am using Enterprise library 4.0. if possible guide me to a working demo.

 

reg.Xeta

Dec 28, 2011 at 3:45 PM
Edited Dec 28, 2011 at 3:45 PM

Did you see the answer to your previous question?  For an Enterprise Library 4 link, please read Encrypting Configuration Data which contains the steps.

--
Randy Levy
Enterprise Library support engineer
entlib.support@live.com 

Dec 29, 2011 at 7:59 AM

Dear i have gone through the article you have emailed. let me clear it, i am working on a desktop application using window forms. My problem is that i have to encrypt the connection string which will ultimately being deployed on client machines. the link you have emailed me have a command

aspnet_regiis -pa "MyKeys" "<System.Security.Principal.WindowsIdentity.GetCurrent().Name>"

System.Security.Principal.WindowsIdentity.GetCurrent().Name gives me MyDomainName\MyUserName, how my DomainName\UserName will be used on client machines.

regards,
regXeta


From: [email removed]
To: [email removed]
Date: Wed, 28 Dec 2011 07:45:13 -0800
Subject: Re: Encrypting app.config connection string [entlib:284356]

From: randylevy
Did you see the answer to your previous question? For an Enterprise Library 4 link, please read Encrypting Configuration Data which contains the steps.
--
Randy Levy
Enterprise Library support engineer
entlib.support@live.com
Read the full discussion online.
To add a post to this discussion, reply to this email (entlib@discussions.codeplex.com)
To start a new discussion for this project, email entlib@discussions.codeplex.com
You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.
Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com
Dec 29, 2011 at 9:02 AM
Kindly also let me know how i pass application path to following command

aspnet_regiis -pe "connectionStrings" -app "</ApplicationPath>" -prov "MyProvider"


regards,
regXeta

From: [email removed]
To: [email removed]
Subject: RE: Encrypting app.config connection string [entlib:284356]
Date: Thu, 29 Dec 2011 12:59:30 +0500

From: randylevy
Did you see the answer to your previous question? For an Enterprise Library 4 link, please read Encrypting Configuration Data which contains the steps.
--
Randy Levy
Enterprise Library support engineer
entlib.support@live.com
Read the full discussion online.
To add a post to this discussion, reply to this email (entlib@discussions.codeplex.com)
To start a new discussion for this project, email entlib@discussions.codeplex.com
You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.
Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com
Dec 29, 2011 at 9:45 AM
Edited Mar 30, 2012 at 1:53 PM

If you are deploying Windows Forms applications to user's machines I would recommend using Windows Authentication if possible with as restricted permissions as possible to the database.This would mitigate the risk of discovering the database credentials.  See http://msdn.microsoft.com/en-us/library/89211k9b(v=VS.100).aspx

Encryption does not solve your problem since if your program can decrypt the credentials so can any user able to run the program.

One approach could be to encrypt the connection information during installation using the user's account -- then only that user would be able to decrypt the connection information.  However, the credentials would still need to be in plain text during installation.  If you want to look into that read http://www.codeproject.com/KB/security/ProtectedConfigWinApps.aspx

The command aspnet_regiis -pa "MyKeys" "<System.Security.Principal.WindowsIdentity.GetCurrent().Name>" grants access to the key MyKeys for the current user.

If you want to support multiple users on multiple machines you will have to use the RSAProtectedConfigurationProvider.
Even if you use RSA Encryption with a common Key File you would still need to include the key file in the deployment so it can be imported.  If anyone gains access to the key file they can decrypt your information.

Some more reading: Appendix E - Encrypting Configuration Files and Importing and Exporting Protected Configuration RSA Key Containers . 

This link should help as well: http://entlib.codeplex.com/discussions/237555

For aspnet_regiis help see: http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=VS.100).aspx

You can direct aspnet_regiis to look on disk as opposed to a virtual root:

aspnet_regiis.exe -pef "connectionStrings" C:\Projects\ 

Note that it will look for a file called web.config in the projects directory so you will have to rename your config files.

--
Randy Levy
Enterprise Library support engineer
entlib.support@live.com