Dec 29, 2011 at 8:45 AM
Edited Mar 30, 2012 at 12:53 PM
If you are deploying Windows Forms applications to user's machines I would recommend using Windows Authentication if possible with as restricted permissions as possible to the database.This would mitigate the risk of discovering the database credentials.
Encryption does not solve your problem since if your program can decrypt the credentials so can any user able to run the program.
One approach could be to encrypt the connection information during installation using the user's account -- then only that user would be able to decrypt the connection information. However, the credentials would still need to be in plain text during installation.
If you want to look into that read
The command aspnet_regiis -pa "MyKeys" "<System.Security.Principal.WindowsIdentity.GetCurrent().Name>" grants access to the key MyKeys for the current user.
If you want to support multiple users on multiple machines you will have to use the RSAProtectedConfigurationProvider.
Even if you use RSA Encryption with a common Key File you would still need to include the key file in the deployment so it can be imported. If anyone gains access to the key file they can decrypt your information.
Some more reading:
Appendix E - Encrypting Configuration Files and Importing and Exporting Protected Configuration RSA Key Containers .
This link should help as well:
For aspnet_regiis help see:
You can direct aspnet_regiis to look on disk as opposed to a virtual root:
aspnet_regiis.exe -pef "connectionStrings" C:\Projects\
Note that it will look for a file called web.config in the projects directory so you will have to rename your config files.
Enterprise Library support engineer