Multi platform data protection

Question

Question: what is the best way to secure data when developing a multi-platform .NET Core 1.1 application?

Let me explain what I mean: the application has a configuration file that contains a database connection password.

I want to do things the right way, which means that after reading the password for the very first time I would prefer to encrypt the string in the configuration file. Clearly, I need to use some kind of symmetric encryption with some kind of passphrase. With Windows I would use DPAPI and host identity to produce my passphrase (after obfuscating it a bit of course).

Linux does not have DPAPI... Is there a truly multiplatform way of achieving what I've described?

Thanks in advance!

Edit: it's preferred for the implementation code base to be the same not depending on the environment / host OS.

Answer 1

I don't believe there is a "truly multiplatform" way to invoke the native OS-level encryption primitives on every platform from a single implementation. I believe many vendors have to target the OS' APIs on a case-by-case basis.

This CIA advice is probably good evidence to support that working around "doing it the hard way" and targeting every platform specifically, probably speaks to the risks involved with trying to find a shortcut:

All tools must utilize Operating System (OS) provided cryptographic primitives where available (e.g., Microsoft CryptoAPI-NG, OpenSSL, PolarSSL, GnuTLS, etc).

Answer 2

1. All the sensitive settings should be encrypted in the configuration file
2. The decryption keys should be stored in environment-variables

Then the application should decrypt the settings on the fly, when it needs those.