How should I store sensitive data for use by my application in VB.net?

Question

A problem I've happened upon is trying to find a way to securely store certain pieces of information. I am still learning and experimenting with .NET as an introductory language along with C. So if I lack basic logic, bear with me.

The Requirement

At the moment I'm using the "Settings" store within my application settings to store several pieces of information, these include:

• SQL connection strings (with credentials)
• SMTP server settings (with credentials)
• Various other sensitve strings with info I wouldn't want someone finding (at least not without some considerable effort).

I've been using the 'Settings' store because quite frankly it's easier to be able to change the value in one central location and it being reflected within my code.

I realize of course that I can just as easily create a shared class and use that as a reference for all these settings.

I need to make it so that someone can't just use a .NET reflector and grab all this information. - After experimenting with SmartAssemply it became quickly apparent that the "Settings" container was something ignored during obfuscation.

The way forward?

So I did some research and at the moment I'm faced with what I consider to be the main possible ways forward. (remember this is coming from my limited experience):

1. Create a new shared class and let SmartAssembly take care of hiding the strings with it's obfuscation methods.
2. Create a INI/XML file to sit along side (externally) to the main application. This will be encrypted and will be decrypted when the application needs to reference any contained settings or strings. (Although the more I think about this the more flawed I think it seems).
3. Create a new shared class and experiment with the SecureString Class? (PoC would be appreciated)
4. Your ideas?

Example

Let's say for example I was trying to hide the following string.

Dim ConnStr As String = "server=100.100.100.1;user=admin;database=database2;port=3306;password=password123"

I would be extremely appreciative if users who provide answers could, along with their suggestion provide a small PoC showing how I can protect a string like the one above and how I can reference it within my program (if you're leaning towards encryption for example).

Answer 1

Binary serialization will render things like Dates and Integers so they cannot be easily read, but not so with strings. The NET BinaryFormatter will even use the property name as the key resulting in something like

"SecretEmail" / "Sam@somewhere.com"
"ExpiryDate" / <binary>

I am quite fond of ProtoBuff-NET for the flexibility it has. It is a replacement for the standard NET BinaryFormatter and offers an easy option for this:

<ProtoBeforeSerialization>
Private Sub Encryptor()
    _foo = Crypto.Encrypt(_foo)
    _bar = Crypto.Encrypt(_bar)
    _secret = Crypto.Encrypt(_secret)
End Sub

<ProtoAfterDeSerialization>
Private Sub Decryptor()
    _foo = Crypto.Decrypt(_foo)
    _bar = Crypto.Decrypt(_bar)
    _secret = Crypto.Decrypt(_secret)
End Sub

String data would be clear text while the app is running, but encrypted when saved (which may not be what you want). In addition, it uses integer values in place of property names in the output.

Just before the data is serialized you could encypt or simple scramble the strings so that they are only readable when loaded into the app. Likewise, <ProtoAfterDeSerialization> would allow you to UnDo whatever you did. Any backing fields with defaults (Private _foo As String = "bar") may/should get handled by your tool.

There are other options, this one has the virtue of having hooks provided for it in the serialization mechanism you can use to save the file.