Encrypt password in App.config
Lets say this is your connection string:
<connectionStrings>
<add name="cs" connectionString="Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=XXSDFASFDKSFJDKLJFDWERIODFSDFHSDJHKJNFJKSD;"/>
</connectionStrings>
Then you can do something like this:
string myCs = System.Configuration.ConfigurationManager.ConnectionStrings["cs"].ConnectionString;
System.Data.SqlClient.SqlConnectionStringBuilder csb = new System.Data.SqlClient.SqlConnectionStringBuilder(myCs);
csb.Password = EncDecHelper.Decrypt(csb.Password);
myCs = csb.ToString();
You can write EncDecHelper.Decrypt
by using samples from here: Encrypt and decrypt a string
Securely Storing Password in app.config - information overload
Thanks to all, particularl @Cleptus, whose advice I took, for your advice. In the end, I have taken the API key and encrypted it using DPAP security. This key is essentially the access to the API, so now that is secured I have made a separate user to run the windows service, with access to the database using integrated security.
I now have a long, encrypted value in the app.config file for the api key and the password for the windows service is saved using windows security.
Encrypt connection string in app.config
Have a look at This Article it has some very useful examples. You're basically looking for System.Configuration.SectionInformation.ProtectSection
to help you out here.
Also have a peek at Implementing Protected Configuration
Is app.config file a secure place to store passwords?
You can use DPAPI (Data protection API) to encrypt certain section of your config files. Your code would still be using ConfigurationManager and decrypting will be taken of care by the framework. For more information on the same refer to this patterns and practices document How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
Update
To encrypt or decrypt information from your code you could use ProtectedData.Protect & ProtectedData.Unprotect. This can be run as a part of custom action in your installer or when the user enters the credentials when using your application.
Sample Code
class SecureStringManager
{
readonly Encoding _encoding = Encoding.Unicode;
public string Unprotect(string encryptedString)
{
byte[] protectedData = Convert.FromBase64String(encryptedString);
byte[] unprotectedData = ProtectedData.Unprotect(protectedData,
null, DataProtectionScope.CurrentUser);
return _encoding.GetString(unprotectedData);
}
public string Protect(string unprotectedString)
{
byte[] unprotectedData = _encoding.GetBytes(unprotectedString);
byte[] protectedData = ProtectedData.Protect(unprotectedData,
null, DataProtectionScope.CurrentUser);
return Convert.ToBase64String(protectedData);
}
}
Encrypting username/password files (app.config) and Unit Tests on Visual Studio Team Services
The encryption key for this uses the machine key which will differ up on the azure server to your local box. Set a machine key manually so it will always be the same in the web.config
See this article on setting your machine key..
https://technet.microsoft.com/en-gb/library/cc755177(v=ws.10).aspx
Related Topics
JSON.Net Serialize by Depth and Attribute
C#: Prepending to Beginning of a File
How to Sort a String of Text Followed by a Number Using Linq
Objects in Scene Dark After Calling Loadscene/Loadlevel
How to Pass Data from Mainwindow to a User Control That's Inside the Mainwindow
Shellexecute Equivalent in .Net
Print Webbrowser Without Previewing I.E. Single Click Print
Datetime Conversion from String C#
How to Make the Value of a Variable Track the Value of Another
How to Change the Background Color of All Other Forms from One Form
Repository Pattern Step by Step Explanation
Why Doesn't Xmlserializer Support Dictionary
How to Execute Task in the Wpf Background While Able to Provide Report and Allow Cancellation
What Is the "Right" Way to Bring a Windows Forms Application to the Foreground
Open Default Mail Client Along with a Attachment
Textrenderer.Measuretext and Graphics.Measurestring Mismatch in Size