C # connectionString encryption issues

Question

C # connectionString encryption issues

I am learning how to encrypt ConnectionString for our C # application (3.5). I read the .Net Framwork Developer Developer's Guide ( http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx ) about securing the connection string. but do not fully understand the content.

It says: " The connection string can only be decrypted on the computer on which it was encrypted." We have a release machine that builds our application that will generate OurApp.exe.config and then install it on many product machines. Is this maine for this encryption process shared with our application and run it on a separate product machine?
We can use " RSAProtectedConfigurationProvider ". He mentioned that we need an encryption key for this provider. when and how should we provide an encryption key?

thanks,

+6

c # encryption

5YrsLaterDBA May 20, '10 at 14:25

source share

4 answers

code4life · Answer 1 · 2010-05-20T15:14:26+0000

You only need to start the encryption process once. However, after creating the machine key, you need to distribute it to all machine.config files on the target computers. This should contain the machine.config file:

  % FRAMEWORKDIR% \% FRAMEWORKVERSION% \ CONFIG

How to configure MachineKey in ASP.NET 2.0 : This link contains a section on configuring the configuration key <machineKey validationKey="[generated value here]" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" decryption="Auto" /> <machineKey validationKey="[generated value here]" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" decryption="Auto" /> <machineKey validationKey="[generated value here]" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" decryption="Auto" /> and how to share it between machines.

Jim l · Answer 2 · 2010-05-20T15:22:36+0000

1) Yes, if you use this approach, you will encrypt it on the machine on which it was installed. If you had a different configuration for the machine, this would be the usual approach from my experience. This is not a good approach if you are trying to send a "secret" connection string.

2) If you have not seen this, this article, I think, will answer the question about the RSA provider ... http://msdn.microsoft.com/en-us/library/ff650304.aspx

If this is an application used by clients for which you need to provide connection information, follow these steps:

WARNING WORD: Do not assume that by encrypting the configuration, you are really protecting yourself from the user running the application. At some point, this string should be decrypted by the application that will be used to connect to the server. This application can be used to provide connectivity to other applications. In short, you should not rely on this as your only strategy to remove users from the database. Good security is a multi-purpose effort.

Gregory A Beamer · Answer 3 · 2010-05-20T15:42:40+0000

There are two ways to fix the key (actually one, but they are directed in different directions from the initial operation of the tool).

Use DPAPI and the actual machine key. This, in a sense, is safer since no one knows the key. It is also painful to export the key so that you can put it on other machines in the farm. The only other way is to maintain separate connection strings for each server in the farm. It CAN be done, but it is very stupid. If you are following this route, select the connection strings from the configuration file so that you can update the configuration on all servers, but not hit the connection strings. Think about it, this is a good idea anyway.
Set up a custom machine key (Google, because there are generators that can create the key), and then put this in the configuration file. Then you can easily share the keys.

Hope this helps.

Greg olmstead · Answer 4 · 2010-05-20T15:12:17+0000

The configuration is encrypted using a machine key. This means that only a computer with this key can decrypt it. The simplest thing is to deploy it using an unencrypted configuration, and then encrypt it when you start the software, or use a separate process to encrypt the configuration. You can distribute the original machine key for use on other machines using the code4life answer above
Instead of transcribing step by step how to use the RSA encryption key, see this MSDN manual - http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

C # connectionString encryption issues

More articles: