468,119 Members | 1,663 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,119 developers. It's quick & easy.

Where to hide the encryption key

Hi all,
I have a configuration file that is storing sensative data, like db
passwords etc. I want to encrypt the file so that people can not see the
contents. What are the standard practices for storing the encryption key. I
definitely don't want to hard code it in my code otherwise someone looking at
the IL can easily see the key.

Where should this key be stored and how can an app access it without
someone else being able to do the same?

Thanks
Mark.
Nov 23 '05 #1
4 7128
Hi Mark,

Normally one does not store a password in a file, but rather the (salted)
hash of this password. In the main app, when one enters the password, the
hash of this password can be compared with the hash of the password you
calculated and stored in some file. If the hashes are the same, the password
is valid. use SHA256 or better to create the hash.

Hope this helps,

Daniel
Nov 23 '05 #2
Hi Daniel,
thanks for your reply, I definitiely agree with you, however if I need to
store a username and password in my configuration file for a connection
string to the database then I cannot modify that in any way otherwise the
dataabse will not know these values. I need someway to encrypt the
configuration file, but be able to decrypt it to get the connection details
but I am not sure where to store the key which will be used to decrypt the
config file. Do I have to encrypt the encryption key :-) and so on...

Thanks
Mark.

"Daniel" wrote:
Hi Mark,

Normally one does not store a password in a file, but rather the (salted)
hash of this password. In the main app, when one enters the password, the
hash of this password can be compared with the hash of the password you
calculated and stored in some file. If the hashes are the same, the password
is valid. use SHA256 or better to create the hash.

Hope this helps,

Daniel

Nov 23 '05 #3
In my point of view:
1. Put the password's hash into the file;
2. Encrypt rest of contents using the password.
3. When the App starts, first of all compare stored hash and hash of the
entered password, if they are identical - decrypt rest of contents.
Vit
Hi Daniel,
thanks for your reply, I definitiely agree with you, however if I need to
store a username and password in my configuration file for a connection
string to the database then I cannot modify that in any way otherwise the
dataabse will not know these values. I need someway to encrypt the
configuration file, but be able to decrypt it to get the connection details
but I am not sure where to store the key which will be used to decrypt the
config file. Do I have to encrypt the encryption key :-) and so on...

Thanks
Mark.

Nov 23 '05 #4
"Vitaly Zayko" <vitaly_at_zayko_dot_net> wrote in message
news:Om*************@TK2MSFTNGP10.phx.gbl...
In my point of view:
1. Put the password's hash into the file;
2. Encrypt rest of contents using the password.
3. When the App starts, first of all compare stored hash and hash of the
entered password, if they are identical - decrypt rest of contents.
Vit


I think his point here is that there is no "entered" password - there is
only what exists in the config file. AKA - he wants his program to know
what the username/password for the database is, but noone else should be
able to figure it out from the config file. I understand that right? (I
don't know the proper answer to the question - just trying to clarify).

--
Adam Clauss
Nov 23 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

12 posts views Thread by Mark Buch | last post: by
5 posts views Thread by pinocchio | last post: by
2 posts views Thread by Igor | last post: by
7 posts views Thread by cefrancke | last post: by
13 posts views Thread by didacticone | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.