Re: Encrypt values for a key in appsettings

On Jun 1, 1:59 pm, Moty Michaely <Moty...@xxxxxxxxx> wrote:
On Jun 1, 11:10 am, Aneesh P <anees...@xxxxxxxxx> wrote:

Thank you Moty for the info.

Actually i need to encrypt only the password fields and decrypt the
same fields in the code. That's requirement. I am thinking of using
TripleDESCryptoServiceProvider to encrypt the password. We can use one
ciphertext and one key. Key can be placed in config file. Can we
hardcode the ciphertext, considering the security aspects.Please
correct me if this approach is wrong.

Regards
Aneesh P

Hi,

First of all there has been lot's of discussions on whether to save
sensitive data in configuration files or not, and in my opinion try to
avoid it.

But, I guess you've considered the security issues.

You don't have to decrypt the data when using the ProtectSection
method. The framework doe's that for you. You load the setting
seamlessly.

I would use the RsaProtectedConfigurationProvider.

To be able to encrypt only the sensitive data, create a new section in
your application settings and encrypt only that section. I would
suggest passing the information in the installer context (Custom
Action).

Configuration config =
ConfigurationManager.OpenExeConfiguration(<executable path>);
if (config != null)
{
ConfigurationSection section =
config.GetSection(<section name>);
if (section != null)
{
// Make sure that the section is not yet
protected
if (!section.SectionInformation.IsProtected)
{
if (!section.SectionInformation.IsLocked)
{
//Protecting the specified section
with the specified provider

section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvide­r");
// Force saving of the section
section.SectionInformation.ForceSave =
true;

config.Save(ConfigurationSaveMode.Modified);
}
}
}
}

Hope this helps.
Moty

Yes Moly this is a nice approach. Thanks a lot for the details and
code snippet.
But one problem we would face is changing the information in config
files. Installer would handle writing config info for once time only.
Once the config file has been stored and afterwards if user wants to
change the password(since he is a domain user and has to change
password) it would not be possible
for him to change it directly in config file, right?. Am thinking of
putting this in a seperate component probably a windows form
application so that user can change config options as and when
required.

Thanks,

Aneesh P

.

Relevant Pages

  • Re: [BUG] linux-next: Tree for May 19/20/21 - BUG at arch/x86/kernel/io_apic_64.c:353!
    ... Can you include the config when you send these, ... from next report will send across the .config file also. ... for the kernel bug discussed. ... # PCI IDE chipsets support ...
    (Linux-Kernel)
  • Re: Save passwords in scripts
    ... I was using a the ConfigParser module to store other info in a config ... characters) and cleared the entries in the config file. ... Rotor module to encrypt the string, UUencoded the result and stored the ... UUencoded result in a special config entry. ...
    (comp.lang.python)
  • [PATCH] make miniconfig (take 2)
    ... Add "make miniconfig", plus documentation, plus the script that creates a ... minimal mini.config from a normal .config file. ... A shell script to automatically create mini.config from a normal .config ...
    (Linux-Kernel)
  • Re: log4net mysteriously stops logging
    ... Since the guy who put the logging in did this, the rest of us just carried it through. ... We call XmlConfigurator.Configure and pass it the FileInfo object that represents the config file. ... With the debugging in log4net enabled, ...
    (microsoft.public.dotnet.general)
  • Re: Upgrading to 7.0 - stupid requirements
    ... >> mods-enabled (symlinks for enabled Apache modules) ... the PHP port/package drops a file with the needed config ... all our virtualhosts in a single config file included into the main ... Until you install that one last port that breaks the config file you ...
    (freebsd-stable)
Quantcast