Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Encrypting a config file 1

Status
Not open for further replies.
Juice05

Juice05

Programmer
Dec 4, 2001
247
US
I have an VB.Net application that uses a config file to gain a SQL Server connection string. It is my understanding that each client must have the .config file stored locally. My question is how do I encrypt the .config file so that the username and password aren't stored in plain text on client machines? Is there a way to encrypt the file to ensure no one can view the username and password?

Thank you in advance for any ideas/comments.
 
Sort by date Sort by votes
You probably wouldn't encrypt the entire config file, but it's pretty easy to encrypt that one item. Take a look at the System.Security.Cryptography namespace, and use the RijndaelManaged class to encrypt/decrypt your connection string. You'll need to hide the key used by Rijndael somewhere in your code.

Chip H.


____________________________________________________________________
Click here to learn Ways to help with Tsunami Relief
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
Firstly, is it possible to change your SQL Authentication to Windows Authentication? If so this requires no transferring of passwords to connect to SQL.

You could encrypt the whole config file but you often find yourself needing to quickly change an item in the config file through notepad (especially when debugging on test databases) so personally I think the best option would be to just encrypt the password. You could flag the password so that your program can recognise it encrypted or decrypted (also to speed up the debugging process).

Eg..
<User>Me</User>
<PW>mypassword</PW>

as opposed to
<User>Me</User>
<PW>ENCRYPTED$^%$&^$GFGryed</PW>

when you pass the string into your app it will look for the 'ENCRYPTED' first and if found will know that the remaining characters need to be decrypted.

Anyway, back to the question...a lot of people have written encryption/decryption classes for others to use freely so have a look around. Here's one ....

Rijndael Encryption in VB.NET

Try to avoid ones that simply swap ASCII codes as they can be decrypted by just one typing monkey whereas proper encryption would take a couple of billion typing monkeys.

The best ones will require you to set a key (which can be any string)
 
Upvote 0 Downvote
I'm also wondering why you want to store a user name and password without having the user key it in. Do you not want the USER to see the password they are using?
 
Upvote 0 Downvote
but the user may not know the SQL account and password they are using.

for example a lot of apps will use the sa account (I know they should get their wrist broken but it's quite common - especially if that's what the client wants)
 
Upvote 0 Downvote
In this scenario (and also in 3 tier apps), the account by which the application is accessing SQL should be a least privileged account. That way, if the user gets the password, they can only connect and do the same things the app can do.

If you encrpt the config entry, someone can still decompile your application to see how the password has been encrypted and to retrieve the key. You could obfuscate, but this will simply add another level of defense, rather than a solution.

The least privileged account, or using windows authentication, is the best solution.

Hope this helps.

Mark [openup]
 
Upvote 0 Downvote
If you encrpt the config entry, someone can still decompile your application to see how the password has been encrypted and to retrieve the key.
Click to expand...

Key management is always a problem. There's a new secured storage mechanism API from MS that works, but it relies on the Windows user identity to encrypt the storage area, so it's no good for a multi-user app.

So, you're left with scattering parts of the key around the program, using non-obvious variable names, and combining the parts to form the entire key off in some subroutine as far from the DB code as possible. Not good, but the best that can be done.

Chip H.


____________________________________________________________________
Click here to learn Ways to help with Tsunami Relief
If you want to get the best response to a question, please read FAQ222-2244 first
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sal21
  • Locked
  • Question
CREATE msflexgrid as in xlsx file 2
Replies
8
Views
509
strongm
strongm
sal21
  • Locked
  • Question
loopimg link and downlosd zip file 1
Replies
3
Views
345
strongm
strongm
sal21
  • Locked
  • Question
I can't find the routine to download the image file anymore
Replies
1
Views
260
strongm
strongm
sal21
  • Locked
  • Question
read xml file 1
Replies
9
Views
647
Andrzejek
Andrzejek
sal21
  • Locked
  • Question
Check of valute change in text file 3
Replies
15
Views
901
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top