On Jun 1, 11:10 am, Aneesh P <anees...@gmail.comwrote:
Thank you Moty for the info.
Actually i need to encrypt only the password fields and decrypt the
same fields in the code. That's requirement. I am thinking of using
TripleDESCryptoServiceProvider to encrypt the password. We can use one
ciphertext and one key. Key can be placed in config file. Can we
hardcode the ciphertext, considering the security aspects.Please
correct me if this approach is wrong.
Regards
Aneesh P
Hi,
First of all there has been lot's of discussions on whether to save
sensitive data in configuration files or not, and in my opinion try to
avoid it.
But, I guess you've considered the security issues.
You don't have to decrypt the data when using the ProtectSection
method. The framework doe's that for you. You load the setting
seamlessly.
I would use the RsaProtectedConfigurationProvider.
To be able to encrypt only the sensitive data, create a new section in
your application settings and encrypt only that section. I would
suggest passing the information in the installer context (Custom
Action).
Configuration config =
ConfigurationManager.OpenExeConfiguration(<executa ble path>);
if (config != null)
{
ConfigurationSection section =
config.GetSection(<section name>);
if (section != null)
{
// Make sure that the section is not yet
protected
if (!section.SectionInformation.IsProtected)
{
if (!section.SectionInformation.IsLocked)
{
//Protecting the specified section
with the specified provider
section.SectionInformation.ProtectSection("RsaProt ectedConfigurationProvider");
// Force saving of the section
section.SectionInformation.ForceSave =
true;
config.Save(ConfigurationSaveMode.Modified);
}
}
}
}
Hope this helps.
Moty