Encrypt Connection String in App.Config

Encrypt connection string in app.config

Have a look at This Article it has some very useful examples. You're basically looking for System.Configuration.SectionInformation.ProtectSection to help you out here.

Also have a peek at Implementing Protected Configuration

Encrypt connection string in app.config so that it works on different system

As you mentioned that you want solution for appconfig .
You can easily apply the same solution as the web.config you just have to rename your app.config to web.config, encrypt with the aspnet_regiis tool and then rename it back to app.config.

Rename app.config to web.config
Open command prompt and type:
%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis -pef
"connectionSt rings" c:\folder containing your web.config (stop at
folder level and don't put the trailling "\")
rename web.config back to app.config

You can open it in notepad to see the encrypted file. In visualstudio you will see it decrypted. You can use your connection string the same way as if it was not encrypted.

Is it really possible to protect a connection string in app. config?

a malicious user that wants your database password, could just copy the encrypted config file, use it with it's own application

This wouldn't work, unless the malicious user runs on the same computer, or has access to the encryption keys of your Protected Configuration Provider.

This is a reasonably strong protection, but if we suppose that web.config could be stolen, we must also suppose that the private key file could be stolen as well. Hence, protected option is "more secure" only in the sense that a kid next door would have harder time breaking it.

If your RDBMS is SQL Server, you could use its Integrated Security feature to avoid storing, and even creating, login credentials for the RDBMS.

Configuration file - encrypting connection string

The steps you are taking that use aspnet_Regiis are really intended for web applications hosted in Internet Information Server (IIS). The file it is looking for is really "web.config." You mentioned that the app being constructed is a winforms application, which isn't a web application. Regular winforms applications are generally configured via a file called "app.config." Visual Studio may have created a base app.config for you depending on the version you're using.

You can "trick" aspnet_Regiis into encrypting your configuration file by temporarily renaming app.config to web.config, and then invoking aspnet_regiis with a flag that points to the exact path of our "phony" web.config:

For simplicity, let's say your initial app.config resides in c:\MyPrograms\MyApp.

Rename app.config to web.config.
From an administrative command prompt, set your current directory to c:\windows\micrsoft.net\framework\v4.0.30319
Invoke aspnet_regiis, using the "-pef" switch to instruct the tool to encrypt a particular section of your web.config:
aspnet_regiis -pef "connectionStrings" c:\MyPrograms\MyApp
If you see a "Succeeded" message, rename your web.config back to app.config, and run your application. .NET should decrypt your connection string automatically at runtime on that machine.

If you need to put this application on other machines, you may need to consider setting up a common encryption key that can be installed on other machines as well as define a provider in web.config that leverages that key. But for now, let's get the basic process working locally, and then worry about the other components once we know this part is working.

Hope this helps!

How should I encrypt the connection string in app.config?

If you're worried about the decryption code being called all the time, you could store it (either against the HttpContext.Items/Cache if you're worried about multiple calls on the same page, or a static if you're worried about it across all requests).

If you're going to put it in a static (note: this means the decrypted value is held in memory, which may be an issue, depending on exactly why you're encrypting it), I'd recommend using a static constructor to decrypt it to ensure the code runs only once and can't have any concurrent issues:

public partial class leDataContext
{
    private static DecryptedConnectionString;
    static leDataContext()
    {
        // This code is guaranteed to run only once, by the framework, before any calls to the instance constructor below.
        DecryptedConnectionString = Cryptography.Decrypt(ConfigurationManager.ConnectionStrings["leConnString"].ToString());
    }

    public leDataContext()
        : base("")
    {           
        base.Connection.ConnectionString = DecryptedConnectionString;
    }
}

There's also some built-in stuff for encrypting connection strings that might be a better choice:

Encrypting Configuration File Sections Using Protected Configuration

ASP.NET 2.0 provides a new feature,
called protected configuration, that
enables you to encrypt sensitive
information in a configuration file.
Although primarily designed for
ASP.NET, protected configuration can
also be used to encrypt configuration
file sections in Windows applications.
For a detailed description of the new
protected configuration capabilities,
see Encrypting Configuration Information Using Protected Configuration.

Encrypting connectionStrings section - utility for app.config

You can try the following:

https://magenic.com/thinking/encrypting-configuration-sections-in-net

In short - rename the app.config file to web.config - the schema is identical, so aspnet_regiis works. Rename back to app.config when finished.