DPAPI Encryption Help

  • Thread starter Thread starter Shaun Ram
  • Start date Start date
S

Shaun Ram

I am working on using DPAPI user profile store to encrypt a connection
string in web.config file, using VB.NET

1. I have a situation here, I would not want the DPAPI User profile to
be Administrator dependent, and I would like to load a user profile I
have created for encryption & decryption directly. In other words I want
to load the user profile without having have administrator privileges.
I’m using VB.NET, & would like to deviate from using Windows Service
Component to load the profile.

2. If this option is not feasible, could anybody suggest a safe
method to encrypt a string in config file. I cannot use the registry
or a database or machine dependent for password store. This leaves me
with one option to hard code the key into the code. I was looking for a
different side by approach to prevent de-obfuscator from retrieving
this.
I would really appreciate if somebody would help me with this situation.
It’s a kind of tricky situation. Even if I would want to hard code the
password string what would be the safest approach, I could use unmanaged
code, but then I would want to make this access hard for access.

A help would be greatly appreciated.
Thanking you
Shaun
 
If you have a certificate, you can install that certificate into the
certificate store of the machine, which should keep it from prying eyes
(certificate stores are about as safe as you can get without using a
smartcard or other disconnected storage storage device).
You can then use the certificate's key to generate a data digital envelope.
The envelope includes the connection string, which is encrypted with an
attached symmetric key and signed using the certificate's key.
More work for you, but you won't have to depend on DPAPI.

-Rob Teixeira [MVP]
 
Back
Top