How to secure EF connection string?

Question

I'm using Entity Framework 5 in a standalone WPF client. How do I configure entity framework so that my database password, which is in the connection string, is not in plain text in memory?

Answer 1

There are two main ways to deal with connection string security with databases.

As rightly pointed out by @MUG4N and @BNicoll you can encrypt the connection strings in your app.config (or web.config) which will avoid being able to read the settings easily. However the actual user name and password are still stored on the machine in this case, which means that with a bit of work you can retrieve the plaintext password.

In my opinion a far better solution is to use the account running your application to authenticate directly with SQL. This means the username/password is never used in the auth cycle and instead a NTLM or kerberos token based authentication is used which is far more secure and doesnt require storage of decryptable passwords.

To use this method you will need to make sure that you are on a domain, and grant permission for the user account running the app to access the database. You will then need to replace the username/password in the connection string with Integrated Security=SSPI;

Unfortunatly this method requires that you are running in a windows domain which may not be appropriate in your case.

Check out MS Whitepaper on security in connection strings