All geek questions in one place

How to safely store the connection string in a WinForms application?

I need to know what is the usual way to store the SQL server connection string for a WinForms application in VB.NET.

I searched the web and I found answers to each of the following questions:

  • How to read app.config values
  • How to do it in ASP.NET Link: this SO question .
  • How to save a connection string (unencrypted in this way unsafe)

I would like a complete answer on how to safely store the connection string in VB.NET in app.config (or settings.settings , if that would be better).

Is app.config right place? Can I encrypt these values?

+7
source share
2 answers

Just the .net infrastructure allows you to do this, see

http://msdn.microsoft.com/en-us/library/89211k9b (v = vs .80) .aspx

Relevant Information:

This is included in the machine.config file :

 <configProtectedData defaultProvider="RsaProtectedConfigurationProvider"> <providers> <add name="RsaProtectedConfigurationProvider" type="System.Configuration.RsaProtectedConfigurationProvider, ... /> <add name="DataProtectionConfigurationProvider" type="System.Configuration.DpapiProtectedConfigurationProvider, ... /> </providers> </configProtectedData>

And this is the application code:

 Shared Sub ToggleConfigEncryption(ByVal exeConfigName As String) ' Takes the executable file name without the ' .config extension. Try ' Open the configuration file and retrieve ' the connectionStrings section. Dim config As Configuration = ConfigurationManager. _ OpenExeConfiguration(exeConfigName) Dim section As ConnectionStringsSection = DirectCast( _ config.GetSection("connectionStrings"), _ ConnectionStringsSection) If section.SectionInformation.IsProtected Then ' Remove encryption. section.SectionInformation.UnprotectSection() Else ' Encrypt the section. section.SectionInformation.ProtectSection( _ "DataProtectionConfigurationProvider") 'this is an entry in machine.config End If ' Save the current configuration. config.Save() Console.WriteLine("Protected={0}", _ section.SectionInformation.IsProtected) Catch ex As Exception Console.WriteLine(ex.Message) End Try End Sub

UPDATE 1

Thanks @wpcoder, for this link

+10
source

In my work, we save the full connection strings in app.config, but we encrypt them using AES256. It works very well and greatly improves security. We wrote a small tool that allows you to encrypt and decrypt connection strings, so editing the app.config files is quite simple. We just have an encryption key hardcoded in the application, so if someone cares about decompiling assemblies, he can understand this, but he raises the bar high enough for our needs. Here is the class we use to encrypt and decrypt connection strings:

 Public Class Aes256Base64Encrypter Public Function Decrypt(ByVal encryptedText As String, ByVal secretKey As String) As String Dim plainText As String = Nothing Using inputStream As MemoryStream = New MemoryStream(System.Convert.FromBase64String(encryptedText)) Dim algorithm As RijndaelManaged = getAlgorithm(secretKey) Using cryptoStream As CryptoStream = New CryptoStream(inputStream, algorithm.CreateDecryptor(), CryptoStreamMode.Read) Dim outputBuffer(0 To CType(inputStream.Length - 1, Integer)) As Byte Dim readBytes As Integer = cryptoStream.Read(outputBuffer, 0, CType(inputStream.Length, Integer)) plainText = Unicode.GetString(outputBuffer, 0, readBytes) End Using End Using Return plainText End Function Public Function Encrypt(ByVal plainText As String, ByVal secretKey As String) As String Dim encryptedPassword As String = Nothing Using outputStream As MemoryStream = New MemoryStream() Dim algorithm As RijndaelManaged = getAlgorithm(secretKey) Using cryptoStream As CryptoStream = New CryptoStream(outputStream, algorithm.CreateEncryptor(), CryptoStreamMode.Write) Dim inputBuffer() As Byte = Unicode.GetBytes(plainText) cryptoStream.Write(inputBuffer, 0, inputBuffer.Length) cryptoStream.FlushFinalBlock() encryptedPassword = System.Convert.ToBase64String(outputStream.ToArray()) End Using End Using Return encryptedPassword End Function Private Function getAlgorithm(ByVal secretKey As String) As RijndaelManaged Const salt As String = "put a salt key here" Const keySize As Integer = 256 Dim keyBuilder As Rfc2898DeriveBytes = New Rfc2898DeriveBytes(secretKey, Unicode.GetBytes(salt)) Dim algorithm As RijndaelManaged = New RijndaelManaged() algorithm.KeySize = keySize algorithm.IV = keyBuilder.GetBytes(CType(algorithm.BlockSize / 8, Integer)) algorithm.Key = keyBuilder.GetBytes(CType(algorithm.KeySize / 8, Integer)) algorithm.Padding = PaddingMode.PKCS7 Return algorithm End Function End Class

Actually, we wrapped it inside the ConnectionStringEncrpyter class, which encodes the private key.

+7
source

Source: https://habr.com/ru/post/915831/

More articles:


All Articles