Encrypted Connection String

[Dave Bailey]

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

 

[Nicholas Paldino [.NET/C# MVP]]

Dave,

You can use the classes in the System.Security.Cryptography namespace to
encrypt/decrypt a file. However, you run into another problem, where will
you store the key? If you store it in the assembly, the assembly can be
browsed to find the key and then someone else can use it to decrypt your
data.

Hope this helps.

 

[Alek Davis]

Dave,

Check out this tool: http://www.obviex.com/cipherlite/. You must be aware of
its vulnerabilities, though. What you want is not easy to do in a secure
fashion. Read this article for more info ("Safeguard Database Connection
Strings and Other Sensitive Settings in Your Code"):
http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/.

Alek

 

[Peter Rilling]

The Data Protection API in Windows would help here. I remember seeing an
article about how to do this in a magazine, but cannot remember which one.

The DPAPI, would require p/invoke to the Windows API.

Dave,

You can use the classes in the System.Security.Cryptography namespace to
encrypt/decrypt a file. However, you run into another problem, where will
you store the key? If you store it in the assembly, the assembly can be
browsed to find the key and then someone else can use it to decrypt your
data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

 

[Alek Davis]

In general, DPAPI will not work for ASP.NET applications, unless you use it
with machine store, which is not very secure. Making DPAPI with user store
work for ASP.NET is a rather complex endevour.

Alek

The Data Protection API in Windows would help here. I remember seeing an
article about how to do this in a magazine, but cannot remember which one.

The DPAPI, would require p/invoke to the Windows API.

message news:ekQrBsMwDHA.1740@TK2MSFTNGP12.phx.gbl...

Dave,

You can use the classes in the System.Security.Cryptography

namespace

to
encrypt/decrypt a file. However, you run into another problem, where will
you store the key? If you store it in the assembly, the assembly can be
browsed to find the key and then someone else can use it to decrypt your
data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

 

[Bruno Jouhier [MVP]]

Nicholas is right. The real problem is storing the key. In C or C++, you
could hack around to hide the key and make it (relatively) difficult for
someone to analyze the code and retrieve the key, but in .NET, it is more
difficult to hide the key in your code because disassembling is very easy.

So, if you really want to be safe, you have to go with DPAPI, smartcards,
etc.

Also, all this depends on the potential threats. If they are low (no real
hackers looking for your data), all you need is probably to avoid exposing
the connection string in plain text. Then, storing the encryption key in the
assembly may be acceptable.

Bruno.

Dave,

You can use the classes in the System.Security.Cryptography namespace to
encrypt/decrypt a file. However, you run into another problem, where will
you store the key? If you store it in the assembly, the assembly can be
browsed to find the key and then someone else can use it to decrypt your
data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

 

[Jerry Negrelli]

This is the DPAPI accessor ripped from MSDN:

using System;
using System.Text;
using System.Runtime.InteropServices;

namespace YourNamespaceHere {
/// <summary>
/// Provides access to the Win32 DPAPI; exposes
the Encrypt & Decrypt methods
/// </summary>
public class DataProtector {
[DllImport("Crypt32.dll",
SetLastError=true,

CharSet=System.Runtime.InteropServices.CharSet.Auto)]
private static extern bool
CryptProtectData(
ref DATA_BLOB pDataIn,
String szDataDescr,
ref DATA_BLOB pOptionalEntropy,
IntPtr pvReserved,
ref CRYPTPROTECT_PROMPTSTRUCT
pPromptStruct,
int dwFlags,
ref DATA_BLOB pDataOut);
[DllImport("Crypt32.dll",
SetLastError=true,

CharSet=System.Runtime.InteropServices.CharSet.Auto)]
private static extern bool
CryptUnprotectData(
ref DATA_BLOB pDataIn,
String szDataDescr,
ref DATA_BLOB pOptionalEntropy,
IntPtr pvReserved,
ref CRYPTPROTECT_PROMPTSTRUCT
pPromptStruct,
int dwFlags,
ref DATA_BLOB pDataOut);
[DllImport("kernel32.dll",

CharSet=System.Runtime.InteropServices.CharSet.Auto)]
private unsafe static extern int
FormatMessage(int dwFlags,
ref IntPtr lpSource,
int dwMessageId,
int dwLanguageId,
ref String lpBuffer,
int nSize,
IntPtr *Arguments);


[StructLayout(LayoutKind.Sequential,
CharSet=CharSet.Unicode)]
internal struct DATA_BLOB {
public int cbData;
public IntPtr pbData;
}

[StructLayout(LayoutKind.Sequential,
CharSet=CharSet.Unicode)]
internal struct
CRYPTPROTECT_PROMPTSTRUCT {
public int cbSize;
public int dwPromptFlags;
public IntPtr hwndApp;
public String szPrompt;
}
static private IntPtr NullPtr = ((IntPtr)
((int)(0)));
private const int
CRYPTPROTECT_UI_FORBIDDEN = 0x1;
private const int
CRYPTPROTECT_LOCAL_MACHINE = 0x4;

public enum Store {USE_MACHINE_STORE = 1,
USE_USER_STORE};

private Store store;

public DataProtector() : this
(Store.USE_MACHINE_STORE) {
}

public DataProtector(Store tempStore) {
store = tempStore;
}

public byte[] Encrypt(byte[] plainText,
byte[] optionalEntropy) {
bool retVal = false;
DATA_BLOB plainTextBlob = new
DATA_BLOB();
DATA_BLOB cipherTextBlob = new
DATA_BLOB();
DATA_BLOB entropyBlob = new
DATA_BLOB();
CRYPTPROTECT_PROMPTSTRUCT prompt
= new CRYPTPROTECT_PROMPTSTRUCT();
InitPromptstruct(ref prompt);
int dwFlags;
try {
try {
int bytesSize =
plainText.Length;

plainTextBlob.pbData = Marshal.AllocHGlobal
(bytesSize);
if(IntPtr.Zero ==
plainTextBlob.pbData) {
throw new
Exception("Unable to allocate plaintext buffer.");
}

plainTextBlob.cbData = bytesSize;
Marshal.Copy
(plainText, 0, plainTextBlob.pbData, bytesSize);
}
catch(Exception ex) {
throw new
Exception("Exception marshalling data. " + ex.Message);
}
if
(Store.USE_MACHINE_STORE == store) {
//Using the machine store, should be providing entropy.
dwFlags =
CRYPTPROTECT_LOCAL_MACHINE|CRYPTPROTECT_UI_FORBIDDEN;
//Check to see if
the entropy is null
if(null ==
optionalEntropy) {
//Allocate something

optionalEntropy = new byte[0];
}
try {
int
bytesSize = optionalEntropy.Length;

entropyBlob.pbData = Marshal.AllocHGlobal
(optionalEntropy.Length);;
if
(IntPtr.Zero == entropyBlob.pbData) {

throw new Exception("Unable to allocate entropy
data buffer.");
}

Marshal.Copy(optionalEntropy, 0,
entropyBlob.pbData, bytesSize);

entropyBlob.cbData = bytesSize;
}
catch(Exception
ex) {
throw new
Exception("Exception entropy marshalling data. " +

ex.Message);
}
}
else {
//Using the user store
dwFlags =
CRYPTPROTECT_UI_FORBIDDEN;
}
retVal = CryptProtectData
(ref plainTextBlob, "", ref entropyBlob,
IntPtr.Zero, ref
prompt, dwFlags,
ref
cipherTextBlob);
if(false == retVal) {
throw new
Exception("Encryption failed. " +

GetErrorMessage(Marshal.GetLastWin32Error()));
}
//Free the blob and
entropy.
if(IntPtr.Zero !=
plainTextBlob.pbData) {

Marshal.FreeHGlobal(plainTextBlob.pbData);
}
if(IntPtr.Zero !=
entropyBlob.pbData) {

Marshal.FreeHGlobal(entropyBlob.pbData);
}
}
catch(Exception ex) {
throw new Exception
("Exception encrypting. " + ex.Message);
}
byte[] cipherText = new byte
[cipherTextBlob.cbData];
Marshal.Copy
(cipherTextBlob.pbData, cipherText, 0,
cipherTextBlob.cbData);
Marshal.FreeHGlobal
(cipherTextBlob.pbData);
return cipherText;
}

public byte[] Decrypt(byte[] cipherText,
byte[] optionalEntropy) {
bool retVal = false;
DATA_BLOB plainTextBlob = new
DATA_BLOB();
DATA_BLOB cipherBlob = new
DATA_BLOB();
CRYPTPROTECT_PROMPTSTRUCT prompt
= new
CRYPTPROTECT_PROMPTSTRUCT
();
InitPromptstruct(ref prompt);
try {
try {
int
cipherTextSize = cipherText.Length;
cipherBlob.pbData
= Marshal.AllocHGlobal(cipherTextSize);
if(IntPtr.Zero ==
cipherBlob.pbData) {
throw new
Exception("Unable to allocate cipherText buffer.");
}
cipherBlob.cbData
= cipherTextSize;
Marshal.Copy
(cipherText, 0, cipherBlob.pbData,

cipherBlob.cbData);
}
catch(Exception ex) {
throw new
Exception("Exception marshalling data. " +

ex.Message);
}
DATA_BLOB entropyBlob =
new DATA_BLOB();
int dwFlags;
if
(Store.USE_MACHINE_STORE == store) {
//Using the machine store, should be providing
entropy.
dwFlags =

CRYPTPROTECT_LOCAL_MACHINE|CRYPTPROTECT_UI_FORBIDD
EN;
//Check to see if
the entropy is null
if(null ==
optionalEntropy) {
//Allocate something

optionalEntropy = new byte[0];
}
try {
int
bytesSize = optionalEntropy.Length;

entropyBlob.pbData = Marshal.AllocHGlobal
(bytesSize);
if
(IntPtr.Zero == entropyBlob.pbData) {

throw new Exception("Unable to allocate entropy
buffer.");
}

entropyBlob.cbData = bytesSize;

Marshal.Copy(optionalEntropy, 0,
entropyBlob.pbData,

bytesSize);
}
catch(Exception
ex) {
throw new
Exception("Exception entropy marshalling data. " +

ex.Message);
}
}
else {
//Using the user store
dwFlags =
CRYPTPROTECT_UI_FORBIDDEN;
}
retVal =
CryptUnprotectData(ref cipherBlob, null, ref
entropyBlob,
IntPtr.Zero, ref
prompt, dwFlags,
ref
plainTextBlob);
if(false == retVal) {
throw new
Exception("Decryption failed. " +

GetErrorMessage(Marshal.GetLastWin32Error()));
}
//Free the blob and
entropy.
if(IntPtr.Zero !=
cipherBlob.pbData) {

Marshal.FreeHGlobal(cipherBlob.pbData);
}
if(IntPtr.Zero !=
entropyBlob.pbData) {

Marshal.FreeHGlobal(entropyBlob.pbData);
}
}
catch(Exception ex) {
throw new Exception
("Exception decrypting. " + ex.Message);
}
byte[] plainText = new byte
[plainTextBlob.cbData];
Marshal.Copy
(plainTextBlob.pbData, plainText, 0,
plainTextBlob.cbData);
Marshal.FreeHGlobal
(plainTextBlob.pbData);
return plainText;
}

private void InitPromptstruct(ref
CRYPTPROTECT_PROMPTSTRUCT ps) {
ps.cbSize = Marshal.SizeOf(typeof
(CRYPTPROTECT_PROMPTSTRUCT));
ps.dwPromptFlags = 0;
ps.hwndApp = NullPtr;
ps.szPrompt = null;
}


private unsafe static String
GetErrorMessage(int errorCode) {
int
FORMAT_MESSAGE_ALLOCATE_BUFFER = 0x00000100;
int FORMAT_MESSAGE_IGNORE_INSERTS
= 0x00000200;
int FORMAT_MESSAGE_FROM_SYSTEM =
0x00001000;
int messageSize = 255;
String lpMsgBuf = "";
int dwFlags =
FORMAT_MESSAGE_ALLOCATE_BUFFER |

FORMAT_MESSAGE_FROM_SYSTEM |

FORMAT_MESSAGE_IGNORE_INSERTS;
IntPtr ptrlpSource = new IntPtr();
IntPtr prtArguments = new IntPtr
();
int retVal = FormatMessage
(dwFlags, ref ptrlpSource, errorCode, 0,
ref lpMsgBuf,
messageSize,
&prtArguments);
if(0 == retVal) {
throw new Exception
("Failed to format message for error code " +
errorCode + ". ");
}
return lpMsgBuf;
}

}
}

-----Original Message-----
The Data Protection API in Windows would help here. I remember seeing an
article about how to do this in a magazine, but cannot remember which one.

The DPAPI, would require p/invoke to the Windows API.

"Nicholas Paldino [.NET/C# MVP]"

message news:ekQrBsMwDHA.1740@TK2MSFTNGP12.phx.gbl...

System.Security.Cryptography namespace

to

encrypt/decrypt a file. However, you run into another problem, where will
you store the key? If you store it in the assembly, the assembly can be
browsed to find the key and then someone else can use it to decrypt your
data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

.

 

[Peter Rilling]

The article that I read (and used for our project) wrapped the DPAPI calls
in a COM+ component. By setting the identity of the COM+ component, you can
use the user store for the account that you specify. It can be secure with
a little extra work.

In general, DPAPI will not work for ASP.NET applications, unless you use it
with machine store, which is not very secure. Making DPAPI with user store
work for ASP.NET is a rather complex endevour.

Alek

The Data Protection API in Windows would help here. I remember seeing an
article about how to do this in a magazine, but cannot remember which one.

The DPAPI, would require p/invoke to the Windows API.

message news:ekQrBsMwDHA.1740@TK2MSFTNGP12.phx.gbl...

Dave,

You can use the classes in the System.Security.Cryptography

namespace

to
encrypt/decrypt a file. However, you run into another problem, where will
you store the key? If you store it in the assembly, the assembly can be
browsed to find the key and then someone else can use it to decrypt your
data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

 

[Peter Rilling]

Here is an article that shows how to wrap the DPAPI so that you can securely
us it in ASP.NET.

It is not really complex. All I had to do was copy that code from the
articles and I got a functioning encryption system. The hardest part for me
was understanding .NET security, credentials, and COM+ as these were new to
me.

The article that I read (and used for our project) wrapped the DPAPI calls
in a COM+ component. By setting the identity of the COM+ component, you can
use the user store for the account that you specify. It can be secure with
a little extra work.

In general, DPAPI will not work for ASP.NET applications, unless you use it
with machine store, which is not very secure. Making DPAPI with user store
work for ASP.NET is a rather complex endevour.

Alek

The Data Protection API in Windows would help here. I remember seeing an
article about how to do this in a magazine, but cannot remember which one.

The DPAPI, would require p/invoke to the Windows API.

"Nicholas Paldino [.NET/C# MVP]" <mvp@spam.guard.caspershouse.com>

wrote
in

message Dave,

You can use the classes in the System.Security.Cryptography namespace
to
encrypt/decrypt a file. However, you run into another problem,

where
will

you store the key? If you store it in the assembly, the assembly

can

be

browsed to find the key and then someone else can use it to decrypt your
data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

 

[Rob Teixeira [MVP]]

I'm actually working on a complete PKI system (which includes secret data
management - key store if you will) in pure .NET managed code.
That helps alleviate some of the interop issues and code access permissions.
However, if you want it to run without saving the secret to access the other
saved secret, you must tie it to an NT account. That indirectly but
effectively makes the user's password the ultimate root key to unlock the
other keys. However, this is pretty much what DPAPI does, so you will find
the same limitiations - ie: the thread must be running with that account's
token, and the account can NEVER change. If the account is lost and
recreated, you are still screwed. I'm also building in key escrow measures
for disaster recovery, which basically uses a special network administrator
account. In essence, it manages two copies of the secret - one with the
normally assigned account, and one with the special admin account. That way,
an admin can always retrieve any key from the system. Key escrow is a highly
debatable idea, because it does add another point of attack into the system.
However, some people weigh that against the possibility of losing keys, and
thus potentially gigs of valuable data, which become unrecoverable. In this
system, this feature is optional, although you can't turn it on and have the
admin account be able to access secrets that were written BEFORE it was
turned on. The keys must be added to both accounts at the same time. After a
secert is in the store, only the proper account can unlock it. The secret
itself is fragmented and encrypted with a derived key, and written to one of
several mediums in conjunction with an irreversable name that places it in
the correct location in the chain. Without the proper root key, not only is
it difficult to derrive the symmetric cipher key, but you won't know in
which order the data needs to be reassembled, and you can't tell where one
piece of data in a store container begins and another ends, or which
fragments go with which other fragments for that matter. I'll post some more
stuff as it becomes available.

-Rob Teixeira [MVP]

Nicholas is right. The real problem is storing the key. In C or C++, you
could hack around to hide the key and make it (relatively) difficult for
someone to analyze the code and retrieve the key, but in .NET, it is more
difficult to hide the key in your code because disassembling is very easy.

So, if you really want to be safe, you have to go with DPAPI, smartcards,
etc.

Also, all this depends on the potential threats. If they are low (no real
hackers looking for your data), all you need is probably to avoid exposing
the connection string in plain text. Then, storing the encryption key in the
assembly may be acceptable.

Bruno.

Dave,

You can use the classes in the System.Security.Cryptography

namespace

to
encrypt/decrypt a file. However, you run into another problem, where will
you store the key? If you store it in the assembly, the assembly can be
browsed to find the key and then someone else can use it to decrypt your
data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

 

[Alek Davis]

Peter,

I am curious: how do you implement authorization in this scenario? I mean,
when an ASP.NET page or some other module calls the COM+ component
(encapsulating DPAPI functionality), how does this COM+ component know that
a caller is allowed to use its encryption/decryption services and it is not
a malicious application?

Alek

Here is an article that shows how to wrap the DPAPI so that you can securely
us it in ASP.NET.

It is not really complex. All I had to do was copy that code from the
articles and I got a functioning encryption system. The hardest part for me
was understanding .NET security, credentials, and COM+ as these were new to
me.

The article that I read (and used for our project) wrapped the DPAPI calls
in a COM+ component. By setting the identity of the COM+ component, you can
use the user store for the account that you specify. It can be secure with
a little extra work.

In general, DPAPI will not work for ASP.NET applications, unless you

use
it

with machine store, which is not very secure. Making DPAPI with user store
work for ASP.NET is a rather complex endevour.

Alek

The Data Protection API in Windows would help here. I remember

seeing
an

article about how to do this in a magazine, but cannot remember

which
one.

The DPAPI, would require p/invoke to the Windows API.

in
message Dave,

You can use the classes in the System.Security.Cryptography
namespace
to
encrypt/decrypt a file. However, you run into another problem, where
will
you store the key? If you store it in the assembly, the assembly

can

be
browsed to find the key and then someone else can use it to

decrypt
your

data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

 

[Peter Rilling]

This was not in scope for my project, but I would suppose that you could
strongly name all assemblies and assert the StrongNameIdentityPermission in
the methods of your COM+ component. This should ensure that only your
assemblies call the encryption and decryption services. Have not tried this
but it seems logical.

I guess it all comes down to how secure you want the system.

Peter,

I am curious: how do you implement authorization in this scenario? I mean,
when an ASP.NET page or some other module calls the COM+ component
(encapsulating DPAPI functionality), how does this COM+ component know that
a caller is allowed to use its encryption/decryption services and it is not
a malicious application?

Alek

Here is an article that shows how to wrap the DPAPI so that you can securely
us it in ASP.NET.

It is not really complex. All I had to do was copy that code from the
articles and I got a functioning encryption system. The hardest part

for

me
was understanding .NET security, credentials, and COM+ as these were new to
me.

The article that I read (and used for our project) wrapped the DPAPI calls
in a COM+ component. By setting the identity of the COM+ component,

you
can

use the user store for the account that you specify. It can be secure with
a little extra work.

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
In general, DPAPI will not work for ASP.NET applications, unless you use
it
with machine store, which is not very secure. Making DPAPI with user store
work for ASP.NET is a rather complex endevour.

Alek

The Data Protection API in Windows would help here. I remember seeing
an
article about how to do this in a magazine, but cannot remember which
one.

The DPAPI, would require p/invoke to the Windows API.

in
message Dave,

You can use the classes in the System.Security.Cryptography
namespace
to
encrypt/decrypt a file. However, you run into another problem, where
will
you store the key? If you store it in the assembly, the

assembly
can

be
browsed to find the key and then someone else can use it to decrypt
your
data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave

 

[Alek Davis]

I would consider this an important security aspect, though. Since the
premise behind using DPAPI with enterprise services is that a potential
hacker can be capable of reverse engineering code (so don't just embed keys
in the assembly, even if it is obfuscated) and performing other types of
attacks, it would be logical to assume that he would be able to do what I
said (which is probably easier than reverse engineering an obfuscated
assembly). I guess, for some apps StrongNameIdentityPermission can work
(although, I am not quite sure, since I a haven't tried it myself). If it
works, the biggest problem is to know in advance who the callers are. For
some apps, it may not be a big deal, but for others, it may.

And yes, you are absolutely right: it all comes to how secure you want the
system to be.

Alek

This was not in scope for my project, but I would suppose that you could
strongly name all assemblies and assert the StrongNameIdentityPermission in
the methods of your COM+ component. This should ensure that only your
assemblies call the encryption and decryption services. Have not tried this
but it seems logical.

I guess it all comes down to how secure you want the system.

Peter,

I am curious: how do you implement authorization in this scenario? I mean,
when an ASP.NET page or some other module calls the COM+ component
(encapsulating DPAPI functionality), how does this COM+ component know that
a caller is allowed to use its encryption/decryption services and it is not
a malicious application?

Alek

Here is an article that shows how to wrap the DPAPI so that you can securely
us it in ASP.NET.

It is not really complex. All I had to do was copy that code from the
articles and I got a functioning encryption system. The hardest part

for

me
was understanding .NET security, credentials, and COM+ as these were

new
to

me.

The article that I read (and used for our project) wrapped the DPAPI calls
in a COM+ component. By setting the identity of the COM+ component, you
can
use the user store for the account that you specify. It can be secure
with
a little extra work.

"Alek Davis" <alek_xDOTx_davis_xATx_intel_xDOTx_com> wrote in message
In general, DPAPI will not work for ASP.NET applications, unless

you
use

it
with machine store, which is not very secure. Making DPAPI with user
store
work for ASP.NET is a rather complex endevour.

Alek

The Data Protection API in Windows would help here. I remember seeing
an
article about how to do this in a magazine, but cannot remember which
one.

The DPAPI, would require p/invoke to the Windows API.

"Nicholas Paldino [.NET/C# MVP]"

wrote
in
message Dave,

You can use the classes in the System.Security.Cryptography
namespace
to
encrypt/decrypt a file. However, you run into another problem,
where
will
you store the key? If you store it in the assembly, the assembly
can
be
browsed to find the key and then someone else can use it to decrypt
your
data.

Hope this helps.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

I need to store an encrypted connection string in the
web.config file. I have found several examples on the Net
but nothing specific as to how to accomplish task.

Thanks in advance,

Dave