Encrypt ConnectionString in a *WINFORMS* App

  • Thread starter Thread starter google
  • Start date Start date
G

google

OK, I know how to encrypt and decrypt data, but here's the deal:

I have a large Winforms .NET 2.0 application which is currently storing
the connection string in the app.config file unencrypted (currently
using Windows integrated security, so there's no password). There are
only 3 users using the app right now, but that will change soon and
we're not going to have our DBAs add every user to the database... Our
data entry personnel have a high turn-over rate. We do have one SQL
Server account and password that the app needs to be using.

So, Like I said, I know how to encrypt/decrypt strings, but my
question is, how do I add the decryption in my app so that I don't have
to Make tons of changes everywhere in the app? The app uses typed
datasets everywhere that somehow get their connectionstring from the
appconfig. If I encrypt it in appconfig, how will all these components
know how to decrypt it?

I'm sure (hoping) it's something simple, but heck if I can find it!!

Any help would be greatly appreciated!
Thanks!
 
Aha!!

I finally figured it out:

In Settings.cs, I added an event handler to SettingsLoaded. In that
handler, (which is called right after the connection string is read
in), I added the following:

this.PropertyValues["MyAppConnectionString"] = /* my decrypted string
*/

Viola!

Damn! I'm good! :)
 
OK, I know how to encrypt and decrypt data, but here's the deal:

I have a large Winforms .NET 2.0 application which is currently storing
the connection string in the app.config file unencrypted (currently
using Windows integrated security, so there's no password). There are
only 3 users using the app right now, but that will change soon and
we're not going to have our DBAs add every user to the database... Our
data entry personnel have a high turn-over rate. We do have one SQL
Server account and password that the app needs to be using.
Click to expand...


There is a better way. Set up a domain group to have access to your
database. When a new user comes into the company, add them to the domain
group. They now have SQL access. Alternatively, if you want Everyone to
have access, add the Domain Users group to your database. Now all domain
users will have access. No need for DBA access at all.

Problem solved. Stick with integrated security. It works.

That said, if you really want to look at encrypting the config section of
your config file, see
a.. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI,"
at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000005.asp.
b.. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA" at
http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000006.asp.
These work in web.config but I believe they also work in app.config. (not
100% certain).

--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
 
Nick said:
There is a better way. Set up a domain group to have access to your
database. When a new user comes into the company, add them to the domain
group. They now have SQL access. Alternatively, if you want Everyone to
have access, add the Domain Users group to your database. Now all domain
users will have access. No need for DBA access at all.

Problem solved. Stick with integrated security. It works.

That said, if you really want to look at encrypting the config section of
your config file, see
a.. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI,"
at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000005.asp.
b.. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA" at
http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000006.asp.
These work in web.config but I believe they also work in app.config. (not
100% certain).

--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
Click to expand...

Yes, I had read plenty about DPAPI and such, but how am I supposed to
use ASP.NET configuration encryption stuff on a WinForms app? It
doesn't look like it's intended for WinForms apps and it seems like an
enormous amount of effort for no apparent improvement or gain over the
current method I'm using now.... which is basically one method added
and one line to call it... zero machine configuration, no IIS, etc...

The problems with integrated security are:

- Our admins (who are across the country) don't get around to creating
new domain users for several days up to a week. Our data entry
employees can't sit around that long with nothing to do, especially
because of the nature of temporary project that uses this app and the
high turn-over rate in the data entry positions.

- Once in a while, we need to terminate someone and block their access
immediately. We need a local "app admin" to create and delete user
accounts on demand.

- We also need extremely, granular, application security that can't be
performed at the SQL Server level, nor the Windows level. We need
specific groups and specific users to have access (or be specifically
denied access) to certain application objects and features.

So, as nice as integrated security is, it's just not an option.

I appreciate the information though. I do intend on looking more
closely at DPAPI for my ASP.NET apps.

Thanks!
 
(e-mail address removed),

I am curious as to where exactly you will be storing the decryption key
for the connection string of your Winform application.

This is something I am still struggling with myself. All the
documented automagic methods for dealing with this seem geared more
toward ASP.Net and/or Windows services.
 
Back
Top