Re: Encrypt values for a key in appsettings

On Jun 1, 11:10 am, Aneesh P <anees...@xxxxxxxxx> wrote:
Thank you Moty for the info.

Actually i need to encrypt only the password fields and decrypt the
same fields in the code. That's requirement. I am thinking of using
TripleDESCryptoServiceProvider to encrypt the password. We can use one
ciphertext and one key. Key can be placed in config file. Can we
hardcode the ciphertext, considering the security aspects.Please
correct me if this approach is wrong.

Regards
Aneesh P

Hi,

First of all there has been lot's of discussions on whether to save
sensitive data in configuration files or not, and in my opinion try to
avoid it.

But, I guess you've considered the security issues.

You don't have to decrypt the data when using the ProtectSection
method. The framework doe's that for you. You load the setting
seamlessly.

I would use the RsaProtectedConfigurationProvider.

To be able to encrypt only the sensitive data, create a new section in
your application settings and encrypt only that section. I would
suggest passing the information in the installer context (Custom
Action).

Configuration config =
ConfigurationManager.OpenExeConfiguration(<executable path>);
if (config != null)
{
ConfigurationSection section =
config.GetSection(<section name>);
if (section != null)
{
// Make sure that the section is not yet
protected
if (!section.SectionInformation.IsProtected)
{
if (!section.SectionInformation.IsLocked)
{
//Protecting the specified section
with the specified provider

section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
// Force saving of the section
section.SectionInformation.ForceSave =
true;

config.Save(ConfigurationSaveMode.Modified);
}
}
}
}

Hope this helps.
Moty

.

Relevant Pages

  • Re: Help Encrypting Connection String
    ... the tool you are referring to is called aspnet_setreg - it uses DPAPI to encrypt the section and places it into web.config - the config file then refers to the reg key. ... You can also use the Ent Lib cryptography block to encrypt and decrypt arbitrary strings, so that will certainly work for what you want to do. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Web.config encryption in shared hosting scenario
    ... Open the config using WebConfigurationManager, get the section using GetSection, and call Protect() on the SectionInformation you get back. ... database via SQL authentication rather than Windows authentication, ... best practice dictates that I encrypt the web.config file ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Save passwords in scripts
    ... I was using a the ConfigParser module to store other info in a config ... characters) and cleared the entries in the config file. ... Rotor module to encrypt the string, UUencoded the result and stored the ... UUencoded result in a special config entry. ...
    (comp.lang.python)
  • Re: Windows App .NET 2.0: Encryption of Connection Strings
    ... no special privileges are needed, besides write access to the config file ... CryptProtectData and CryptUnProtectData Windows APIs to encrypt and decrypt" ... > 3) I guess that I protect all kinds of configuration sections? ... >> Hello Henrik, ...
    (microsoft.public.dotnet.security)
  • Re: Couldn;t load assembly
    ... Trying to run following code to encrypt config file... ...
    (microsoft.public.dotnet.security)