Re: Windows App .NET 2.0: Encryption of Connection Strings
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: Sat, 12 Nov 2005 03:56:55 -0800
1) no special privileges are needed, besides write access to the config file
2) by default the machine key is used - you can also configure ProtectedConfiguration
to use a user scoped key - this is configured in machine.config
<add name="DataProtectionConfigurationProvider" type="System.Configuration.DpapiProtectedConfigurationProvider,System.Configuration,
Version=126.96.36.199, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" description="Uses
CryptProtectData and CryptUnProtectData Windows APIs to encrypt and decrypt"
useMachineProtection="true" keyEntropy="" />
3) you can protect nearly all config section - look in the help for a list
of sections you can't encrypt
4) the location of the file should not matter
5) well - it uses a different cryptographic algorithm - based on asymmetric
keys. I guess this does not make sense for desktop apps, besides you want
to use hardware like smartcards or usb tokens.
The whole DPAPI ProtectedConfig feature is based on the System.Security.Cryptography.ProtectedData
class. If you want to have more control (like user vs. machine scope) you
can use that class directly. I have a sample for encrypting xml (config)
files on my blog -
Dominick Baier - DevelopMentor
> Hello Dominick,
> Thank you very much for your reply, that was just what I needed. I
> have a some extra questions.
> 1) Which rights should the user have on the machine to be able to
> 2) I have tried to run the code for different users on the machine and
> all seems to be able to decrypt the connection string, no matter which
> that have encrypted it. Is the section encrypted on a machine level?
> 3) I guess that I protect all kinds of configuration sections?
> 4) Can I use it on configurations save in isolated storage?
> 5) I guess that I also can use the RSAProtectedConfigurationProvider
> provider. Would I ever have to use this provider in a Windows
> "Dominick Baier [DevelopMentor]"
> <email@example.com> wrote in message
>> Hello Henrik,
>> something like this:
>> static void Main(string args)
>> Configuration config =
>> ConnectionStringsSection s = config.ConnectionStrings;
>> der"); s.SectionInformation.ForceSave = true;
>> Dominick Baier - DevelopMentor
>>> I have found a lot of articles explaining how to encrypt
>>> configuration strings in ASP.NET 2.0, but none explaining how to do
>>> it in Windows Applications.
>>> I would like to encrypt the connection strings in an application
>>> which I am deploying to multiple customers. The customer enter
>>> db-connection information themselves and I have to encrypt it
>>> afterwards. I have to support both trusted connections and sql
>>> Any ideas?
>>> Henrik Skak Pedersen