How to prevent users to see the database file I am using?

Question

I am writing a VB.NET desktop application relying on a MS Access *.accdb database. When my application is installed on the end user machine, the database file has to be in the same directory as the assembly.

My concern is that I want the data to be kept confidential, and that the password protection of an access database can easily be broken.

How could I protect these data?

I thought about embedding the database into my assembly, but it looks like it is (or was) not possible. I tried to embed it nonetheless, but I couldn't figure out how to modify my connection string.

Any help greatly appreciated!

Answer 1

Access is not a proper storage medium for Confidential Data. And as you say, the Password mechanism can easily be broken.

You could store all the confidential data in the database in encrypted form, but you'd still need to store the encryption key on the same system in order for your application to read the data. You application would need to do the encryption/decryption. At least when the file is opened, and the password is guessed, the contents would still be hard to read. Anyone with enough knowledge of .NET and security will be able to decrypt the data though, since you'll have to store the encryption key in a place where the application can retrieve it in order to encrypt/decrypt the data.

Embedding the database would also not help very much, since the embedded resources cannot be updated at runtime, plus they can be easily extracted from the assembly unless you encrypt the whole assembly too (there are tools that can do that).

Bottom line: When confidentiality is key, don't store the data a person cannot/may not see on his/her system. Or don't store the encryption key on the system of that person.