CODEWITHSUNDEEP
c#.netsqliisapp-config
Lost_In_Library
Lost_In_Library

Reputation: 3493

How to encrypt app.config ( Without decrypt method )

I want to encrypt my "ConnectionString" settings which is located in app.config. But at the Runtime, I want to use( read ConnectionString ) it directly, without decrypt it.

I mean, I don't want to anyone to decrypt the string. There should be NO decryption method. I'm thinking; it should be like embed .net/asp.net/iis feature to use. Like "Windows Login" ( you can enter it, use it, but you can't decrypt )

===

An Example Usage; You have small website with some critical data. You have no money to buy private server, so you are working on shared server, if the server hacked somehow, you application and database will be stolen. But if you put encrypted connectionstring in app.config, This will be hard to decrpt it and see what is inside in Database.

Upvotes: 3

Views: 2559

Answers (2)

Dirk Vollmar
Dirk Vollmar

Reputation: 176269

Encrypting and decrypting configuration settings in a config file can be done from the command line using the aspnet_regiis.exe tool.

The details are described in the following MSDN article:

Encrypting and Decrypting Configuration Sections

As the tool is mainly intended to be used with Web applications, it expects the config file to be named 'web.config'. This means that you temporarily will have to rename your app.config file to web.config:

rename App.config web.config
aspnet_regiis -pef connectionStrings . -prov DataProtectionConfigurationProvider
rename web.config App.config

Upvotes: 2

LosManos
LosManos

Reputation: 7702

DPAPI might be a solution.

You can connect your usr/pwd/credentials to the machine. JGalloway knows more about this than I. JGalloway knows more about anything dotnet than I. http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx

If I haven't mixed things up this creates a usr/pwd combination that is bound to the very hardware of the machine. I.e. change network card and stuff might break. Also; one cannot create the usr/pwd/creds one machine and then transfer to another. In short this means that you have to do whatever you have to do on the production machine - might give you a headache if you are targeting continuous delivery.

Caveat: I haven't tried it myself. Instead I opted for a "regular" encryption. If someone got hold of my encrypted string and bytecode and reverse engineered it I would be smoked. But it was enough of security for me.

Upvotes: 1

Related Questions