Encrypting the app.config file

Hot Topic

MS Access
System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
help in creating a xml
SerialPort Timeouts
find my external ip address not internal
Appending an element
.Net and SQL interaction
Using FillSchema on a Table with a unique index over two columns
Creating DSN to SQL Server in the code.
Stored Procedure

.NET Development

windbg/sos - !dumpheap/!dumpobj/!gcroot
how to get some text into a XMLWriter?
Why SOAP not RPC
Problem Creating Dataset
Converting int to nullable enumeration...
Deleting lines from Text File. - after a specific charater has been met.
Side by side execution +COM components
login prompt
Short key to my band object
Using P/Invoke to invoke a function with variable # of parameters.

Encrypting the app.config file

My application will use the DataProtectionConfigurationProvider to encrypt my app.config file. I can encrypt the file from within my applicaiton, but I would like to be able to encrypt it outside the application so that the file is encrypted when it is deployed. I know that you can encrypt web.config files with aspnet_regiis.exe. Is there a tool that can encrypt app.config files as well

Eric

Answer this question

Encrypting the app.config file

  • ser_macz

    Hi P.J.,

    I've read your post in the group and I'm also searching to encrypt some connection strings in a app.config-file. Can you send me an example of your code that manages this issue.

    Thanks in advance,
    Marc.
    marcmylle@hotmail.com.donotspam

  • ChandraDevaraj

    Then you just need to decompile the program and look at the encryption method. Are code obfuscator good Would it be farely easy to find the encryption method when to code of obfuscated

  • kingduck

    Your right that you can't encrypt the entire file, but using the System.Configuration.SectionInformation.ProtectSection method, you can encrypt entire sections. (new in 2.0 framework) The protect section method only works on sections of that applications config file. I'm looking for a tool that will protect sections of a different application's config file. And of coarse, I want the main application to be able to read them using the framework APIs, the tools encrption needs to be the same as the ProtectSection's encryption.

  • James Klimek

    This is exactly what I am looking for and is the only thing holding me back from deploying my project. Does anyone have a code sample of not only how to encrypt/decrypt the connections strings in the app.config file, but how to use that functionality in a small application

    Thanks!

  • bogdanleon

    Hi there PJ

    I'm currently looking for ways to encrypt values of my app.config (DB connection string).

    I've looked at PNG but would like a simpler way to do things. Can you give an example of your encryption/decryption method

    brgds


  • DLCarp

    I can't access the site, looks like something i would be interested in ....

    Thanks

    Kalpana

  • Jimmy Li

    Take a look at this: http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnpag2/html/EntLib2.asp

    The standards and pratices team has some cool examples in their Enterprise Framework. It's asp.net based but its still a pretty good example. I remember that in the 1.x versions they had a nice interface (ment to be customized) to encrypt various configuration settings.



  • dcoe

    ThE_lOtUs wrote:
    Then you just need to decompile the program and look at the encryption method. Are code obfuscator good Would it be farely easy to find the encryption method when to code of obfuscated

    Nothing is perfect but obfuscation is about the best that can be done to deter casual cracking.

    Well there is one other way. You can store the key in a database and use SSPI to enable users who are authorized to use the application to retrieve the key (well through the program of course). When the key comes in from the database, the application can use it to decrypt the app.config file. Again, I'd recommend using obfuscation still so that a casual cracker can't determine what is being done.



  • Noel L

    Hey zephyr_at_hades,

    Is your sample code still available at http://hades.dyndns.ws/blog/index.php blog=5&p=29&more=1&page=1
    I cannot browse the link

    Thanks,



  • Kyro

    No, can't encrypt the app.config. No that's not right, you can but then your app won't read it

    You can encrypt the values in it and when you read it, just decrypt it. I use this for the connection string for example, so users don't grap the username and password for the DB.


  • JDehart

    I've written a small command line app that can protect and unprotect sections in your config file. See http://hades.dyndns.ws/blog/index.php blog=5&p=29&more=1&page=1

  • altecka

    No there is currently no tool available to encrypt your app.config automagically...well at least to my knowledge so don't quote me on that.

    The difference between app.config for desktop apps and web.config for web apps is simple. ASP.net knows what key it uses to encrypt your web.config file and can tell it to the ASP.net application.

    There is no similar service for winform/console applications because they run within their own process.

    It is possible to create your own EncryptedConfigurationProvider and simple application that, given a key, encrypts any file (including app.config). Of course your application will have to provide that key to the ECP in order for it to work. Finally, do not forget that all of the encryption is for naught if you don't hide the key in your assembly. Use a code obfuscator (like dotfuscator) to help you with that.



  • Encrypting the app.config file
Answer this question