1

I'm looking for some suggestions and best practice advices related to storing and securing database connection strings. App.config seems to be the Microsoft prefered way of handling application configuration, but I've had some troubles in the past working with it - or I just don't understand the philosophy behind.

The first thing that seems obvious to me is: Never store connection information in plaintext. App.config however, is always plaintext. The only way to avoid storing human readable information in App.config seems to be Protected Configuration. But again, a big however: If one does deploy an application, the configuration will be deployed in plaintext - encryption (without the help of some tools) seems only possible when the application first starts.

This doesn't seem secure to me, because if someone checks out the application directory (where the configuration is stored) before running the application for the first time, he receives a lot of sensitive information in plain text.

Also: How can I secure the configuration in an application running as an unprivileged, default user? AFAIK saving application settings requires admin rights.

Did Microsoft really thought that out? Or does Microsoft provides a different way?

Improve this question
3
  • msdn.microsoft.com/en-us/library/ff647398.aspx Commented May 30, 2013 at 20:51
  • @varun Seems promising at a first glance, but I don't understand how this may work with a simple client Windows application. Do I have to encrypt the data during installation for each user that uses the application? Commented May 30, 2013 at 20:58
  • its upto you really, you could keep same key for an rsa component whcih will decrypt all senstive data, however why would you wanna encrypt something which is senstive, will differ for each clinet yet has to be written in a config file, in such cases, you should let user enter such things in the UI/admin section and save the entire stuff as a encrypted file. Maybe use his login credentials to encrypt it if there are any Commented May 30, 2013 at 21:03

1 Answer 1

Reset to default
1

You can easily encrypt configuration sections in web.config,

it looks like this

<connectionStrings configProtectionProvider="RsaProtectedConfigurationProvider">
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
      xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <KeyName>Rsa Key</KeyName>
          </KeyInfo>
          <CipherData>
            <CipherValue>R7cyuRk+SXJoimz7wlOpJr/YLeADGnwJVcmElHbrG/B5dDTE4C9rzSmmTsbJ9Xcl2oDQt1qYma9L7pzQsQQYqLrkajqJ4i6ZQH1cmiot8ja7Vh+yItes7TRU1AoXN9T0mbX5H1Axm0O3X/285/MdXXTUlPkDMAZXmzNVeEJHSCE=</CipherValue>
          </CipherData>
        </EncryptedKey>
      </KeyInfo>
      <CipherData>
        <CipherValue>d2++QtjcVwIkJLsye+dNJbCveORxeWiVSJIbcQQqAFofhay1wMci8FFlbQWttiRYFcvxrmVfNSxoZV8GjfPtppiodhOzQZ+0/QIFiU9Cifqh/T/7JyFkFSn13bTKjbYmHObKAzZ+Eg6gCXBxsVErzH9GRphlsz5ru1BytFYxo/lUGRvZfpLHLYWRuFyLXnxNoAGfL1mpQM7M46x5YWRMsNsNEKTo/PU9/Jvnh/lT+GlcgCs2JRpyzSfKE7zSJH+TpIRtd86PwQ5HG3Pd2frYdYw0rmlmlI9D</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>

take a look here > You dont need a tool to un encrypt it, this can be easily done in code and is a common practise.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

As already mentioned, if I deploy the application, the configuration won't be encrypted. Or if, it will be tied to a key that is not stored on the destination computer. So I assume I have to do this after the application installation, but Microsoft doesn't seem to provide any tools for this and I'm not interested in writing custom action code for every project I have for running it in WiX. It's disappointing that Microsoft offers totally awesome tools for developers to create applications, but then totally sucks when it comes to deployment.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.