Re: Windows App .NET 2.0: Encryption of Connection Strings

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 11/12/05

  • Next message: Dominick Baier [DevelopMentor]: "Re: Running a program using different credentials"
    Date: Sat, 12 Nov 2005 03:56:55 -0800
    
    

    Hello Henrik,

    ok -

    1) no special privileges are needed, besides write access to the config file
    2) by default the machine key is used - you can also configure ProtectedConfiguration
    to use a user scoped key - this is configured in machine.config

    <add name="DataProtectionConfigurationProvider" type="System.Configuration.DpapiProtectedConfigurationProvider,System.Configuration,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" description="Uses
    CryptProtectData and CryptUnProtectData Windows APIs to encrypt and decrypt"
    useMachineProtection="true" keyEntropy="" />

    3) you can protect nearly all config section - look in the help for a list
    of sections you can't encrypt
    4) the location of the file should not matter
    5) well - it uses a different cryptographic algorithm - based on asymmetric
    keys. I guess this does not make sense for desktop apps, besides you want
    to use hardware like smartcards or usb tokens.

    The whole DPAPI ProtectedConfig feature is based on the System.Security.Cryptography.ProtectedData
    class. If you want to have more control (like user vs. machine scope) you
    can use that class directly. I have a sample for encrypting xml (config)
    files on my blog -

    here : http://www.leastprivilege.com/ProtectedXml.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello Dominick,
    >
    > Thank you very much for your reply, that was just what I needed. I
    > have a some extra questions.
    >
    > 1) Which rights should the user have on the machine to be able to
    > encrypt?
    > 2) I have tried to run the code for different users on the machine and
    > they
    > all seems to be able to decrypt the connection string, no matter which
    > user
    > that have encrypted it. Is the section encrypted on a machine level?
    > 3) I guess that I protect all kinds of configuration sections?
    > 4) Can I use it on configurations save in isolated storage?
    > 5) I guess that I also can use the RSAProtectedConfigurationProvider
    > provider. Would I ever have to use this provider in a Windows
    > application?
    > Thanks
    >
    > Henrik
    >
    > "Dominick Baier [DevelopMentor]"
    > <dbaier@pleasepleasenospamdevelop.com> wrote in message
    > news:4580be6313561a8c7b5059deae6bf@news.microsoft.com...
    >
    >> Hello Henrik,
    >>
    >> something like this:
    >>
    >> static void Main(string[] args)
    >> {
    >> Configuration config =
    >> ConfigurationManager.OpenExeConfiguration(...);
    >> Console.WriteLine(config.FilePath);
    >> ConnectionStringsSection s = config.ConnectionStrings;
    >> s.SectionInformation.ProtectSection("DataProtectionConfigurationProvi
    >> der"); s.SectionInformation.ForceSave = true;
    >>
    >> config.Save();
    >> }
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I have found a lot of articles explaining how to encrypt
    >>> configuration strings in ASP.NET 2.0, but none explaining how to do
    >>> it in Windows Applications.
    >>>
    >>> I would like to encrypt the connection strings in an application
    >>> which I am deploying to multiple customers. The customer enter
    >>> db-connection information themselves and I have to encrypt it
    >>> afterwards. I have to support both trusted connections and sql
    >>> authentication.
    >>>
    >>> Any ideas?
    >>>
    >>> Thanks
    >>>
    >>> Henrik Skak Pedersen
    >>>


  • Next message: Dominick Baier [DevelopMentor]: "Re: Running a program using different credentials"

    Relevant Pages

    • Re: Windows App .NET 2.0: Encryption of Connection Strings
      ... Thanks Henrik. ... > 1) no special privileges are needed, besides write access to the config ... > of sections you can't encrypt ...
      (microsoft.public.dotnet.security)
    • Re: Web.config encryption in shared hosting scenario
      ... Open the config using WebConfigurationManager, get the section using GetSection, and call Protect() on the SectionInformation you get back. ... database via SQL authentication rather than Windows authentication, ... best practice dictates that I encrypt the web.config file ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: Encrypt values for a key in appsettings
      ... Key can be placed in config file. ... hardcode the ciphertext, considering the security aspects.Please ... the section to edit the inforamtion and then protect it again. ...
      (microsoft.public.dotnet.languages.csharp)
    • [PATCH 05/20] staging/go7007: remove the BKL
      ... There is nothing that the BKL can possibly ... protect here, so just remove it. ... config VIDEO_GO7007 ... Please read the FAQ at http://www.tux.org/lkml/ ...
      (Linux-Kernel)
    • [2.6 patch] fix dependencies of W1_SLAVE_DS2433_CRC
      ... config W1_SLAVE_DS2433_CRC ... bool "Protect DS2433 data with a CRC16" ... Say Y here to protect DS2433 data with a CRC16. ...
      (Linux-Kernel)