Encrypting / decrypting connection string in app.config file

Question

Hi Everyone I had my windows app just how I wanted it using the Enterprise Library to connect to a SQL database using a connection string stored in the app.config file. Then I realised that it was storing the sensitive connection string as plain text in the appname.exe.config file! So I've seen that the idea is that you encrypt/decrypt the connection string section of the app.config file. And I've seen what look like some pretty decent links to examples showing how to toggle encryption ( http://msdn2.microsoft.com/en-us/library/89211k9b(VS.80).aspx ). But can someone explain at a higher level at what point we encrypt and decrypt? Am I right in thinking that I should encrypt the connection string at design time then decrypt at runtime? Sorry if I'm being slow here but I just don't quite see how to apply this encryption toggling code. Any hints would be gratefully received! Thanks Tom

Tom · Answer

Hi Scott Thanks for your help. I eventually worked out how to encrypt the connection strings file only to then find that the decryption would only work on the computer that it had been encrypted on (which is no good to me as I want to distribute the application). The error message that comes up when you try to run the app on another machine is: Failed to decrypt using provider 'MyUserDataProtectionConfigurationProvider'. Error message from the provider: Key not valid for use in specified state. (Exception from HRESULT: 0x8009000B) Then I found this article which moves the encryption to the installation process so each machine encrypts (and can therefore *decrypt*) the connection string: http://www.codeproject.com/KB/security/encryptstrings.aspx It's really handy and gives step by step instructions.

Scott Lysle · Answer

The idea there is to use aspnet_regiis.exe to encrypt that portion of the configuration file at design time; the application will decrypt it when it is needed.