Reputation: 853
I have an application, where I should connect to a SQL Server. It is protected by password. So when I'm starting program for the first time, I'm creating dynamically connectionString and save it in app.config. For the next times I can use created connectionString. I've googled and decided to do following: encrypt connectionString in app.config and save password in my code. When I would like to connect to database next time, I will decrypt connectionString, add userId and password and connect with new connectionString to server. Before closing program, I will delete userId and password from connectionString and encrypt it again. But I have some questions:
1) Is it a good solution?
2) When I am starting program for the first time, I need to create connection string, so somewhere in code should be userId and password. How to deal with this problem?
Upvotes: 2
Views: 4213
Reputation: 21
If you're using windows and the credentials are the same as your windows authentication, you can omit the username and password from the connection string and replace it with Trusted_Connection=true
Upvotes: 0
Reputation: 2577
As I understand you create connection string dynamically. So you can encrypt this section from code as well. The encryption algorithm by default will use your machine key to encrypt the section, here is the link how to do it http://www.dotnetcurry.com/ShowArticle.aspx?ID=185
Upvotes: 2
Reputation: 428
Create DBUsername, DBPassword and other DB entries as keys in the app.config. For the DBPassword, encrypt it (symmetric probably) using a master key that is hard coded in code. This is generally enough. There are other ways such as the use of a key store to store the key.
If you don't want to construct the conn string each time, create the app config entry holding the entire connection string and encrypt the whole thing with the master key (I see no value here).
Upvotes: 1
Reputation: 77364
Before closing program, I will delete userId and password from connectionString and encrypt it again
That's not a good solution. Your data should always be encrypted or at least be lost on program termination. If your user kills your program using the task manager (or it simply crashes), and you rely on the fact that your program will encrypt data on exit, your data is left unencrypted.
You could encrypt the whole connection string at the point you get the username and password. Then, any time you want to connect, decrypt it, pass it to the required functions and get rid of it. Never persist it in an unencrypted way.
Upvotes: 1