Encrypt values for a key in appsettings

On Jun 1, 10:45 am, Aneesh P <anees...@gmail.comwrote:

Hi All,

I need to encrypt some fields esp password key values in configuration
file while installting the application using .Net installer project
and decrypt those values from my solution(windows service). Is there
any built in method in.Net that I can use. The flow would be like
this:

Accept username/password from .Net installer dialog
V
Encrypt the value for password while writing into config file
V
Decrypt the value for password in windows service code

I tried Googling but most of the links provide information on
encryptiing the complete <appSettingssections. I would want to
encrypt only the value for Password key in appsettings.Would
appreciate if anybody could give any inputs on this.

Thanks in advance,

Aneesh

Dear Aneesh,

you can use the ProtectSection method of the SectionInormation class.
http://msdn2.microsoft.com/en-us/lib...ctsection.aspx

Feel free to ask any further questions.

Cheers,
Moty

Thank you Moty for the info.

Actually i need to encrypt only the password fields and decrypt the
same fields in the code. That's requirement. I am thinking of using
TripleDESCryptoServiceProvider to encrypt the password. We can use one
ciphertext and one key. Key can be placed in config file. Can we
hardcode the ciphertext, considering the security aspects.Please
correct me if this approach is wrong.
Regards
Aneesh P

On Jun 1, 11:10 am, Aneesh P <anees...@gmail.comwrote:

Thank you Moty for the info.

Actually i need to encrypt only the password fields and decrypt the
same fields in the code. That's requirement. I am thinking of using
TripleDESCryptoServiceProvider to encrypt the password. We can use one
ciphertext and one key. Key can be placed in config file. Can we
hardcode the ciphertext, considering the security aspects.Please
correct me if this approach is wrong.

Regards
Aneesh P

Hi,

First of all there has been lot's of discussions on whether to save
sensitive data in configuration files or not, and in my opinion try to
avoid it.

But, I guess you've considered the security issues.

You don't have to decrypt the data when using the ProtectSection
method. The framework doe's that for you. You load the setting
seamlessly.

I would use the RsaProtectedConfigurationProvider.

To be able to encrypt only the sensitive data, create a new section in
your application settings and encrypt only that section. I would
suggest passing the information in the installer context (Custom
Action).

Configuration config =
ConfigurationManager.OpenExeConfiguration(<executa ble path>);
if (config != null)
{
ConfigurationSection section =
config.GetSection(<section name>);
if (section != null)
{
// Make sure that the section is not yet
protected
if (!section.SectionInformation.IsProtected)
{
if (!section.SectionInformation.IsLocked)
{
//Protecting the specified section
with the specified provider

section.SectionInformation.ProtectSection("RsaProt ectedConfigurationProvider");
// Force saving of the section
section.SectionInformation.ForceSave =
true;

config.Save(ConfigurationSaveMode.Modified);
}
}
}
}

Hope this helps.
Moty

On Jun 1, 1:59 pm, Moty Michaely <Moty...@gmail.comwrote:

On Jun 1, 11:10 am, Aneesh P <anees...@gmail.comwrote:

Thank you Moty for the info.

Actually i need to encrypt only the password fields and decrypt the
same fields in the code. That's requirement. I am thinking of using
TripleDESCryptoServiceProvider to encrypt the password. We can use one
ciphertext and one key. Key can be placed in config file. Can we
hardcode the ciphertext, considering the security aspects.Please
correct me if this approach is wrong.

Regards
Aneesh P

Hi,

First of all there has been lot's of discussions on whether to save
sensitive data in configuration files or not, and in my opinion try to
avoid it.

But, I guess you've considered the security issues.

You don't have to decrypt the data when using the ProtectSection
method. The framework doe's that for you. You load the setting
seamlessly.

I would use the RsaProtectedConfigurationProvider.

To be able to encrypt only the sensitive data, create a new section in
your application settings and encrypt only that section. I would
suggest passing the information in the installer context (Custom
Action).

Configuration config =
ConfigurationManager.OpenExeConfiguration(<executa ble path>);
if (config != null)
{
ConfigurationSection section =
config.GetSection(<section name>);
if (section != null)
{
// Make sure that the section is not yet
protected
if (!section.SectionInformation.IsProtected)
{
if (!section.SectionInformation.IsLocked)
{
//Protecting the specified section
with the specified provider

section.SectionInformation.ProtectSection("RsaProt ectedConfigurationProvide*r");
// Force saving of the section
section.SectionInformation.ForceSave =
true;

config.Save(ConfigurationSaveMode.Modified);
}
}
}
}

Hope this helps.
Moty

Yes Moly this is a nice approach. Thanks a lot for the details and
code snippet.
But one problem we would face is changing the information in config
files. Installer would handle writing config info for once time only.
Once the config file has been stored and afterwards if user wants to
change the password(since he is a domain user and has to change
password) it would not be possible
for him to change it directly in config file, right?. Am thinking of
putting this in a seperate component probably a windows form
application so that user can change config options as and when
required.

Thanks,

Aneesh P

On Jun 1, 12:41 pm, Aneesh P <anees...@gmail.comwrote:

On Jun 1, 1:59 pm, Moty Michaely <Moty...@gmail.comwrote:

On Jun 1, 11:10 am, Aneesh P <anees...@gmail.comwrote:

Thank you Moty for the info.

Actually i need to encrypt only the password fields and decrypt the
same fields in the code. That's requirement. I am thinking of using
TripleDESCryptoServiceProvider to encrypt the password. We can use one
ciphertext and one key. Key can be placed in config file. Can we
hardcode the ciphertext, considering the security aspects.Please
correct me if this approach is wrong.

Regards
Aneesh P

Hi,

First of all there has been lot's of discussions on whether to save
sensitive data in configuration files or not, and in my opinion try to
avoid it.

But, I guess you've considered the security issues.

You don't have to decrypt the data when using the ProtectSection
method. The framework doe's that for you. You load the setting
seamlessly.

I would use the RsaProtectedConfigurationProvider.

To be able to encrypt only the sensitive data, create a new section in
your application settings and encrypt only that section. I would
suggest passing the information in the installer context (Custom
Action).

Configuration config =
ConfigurationManager.OpenExeConfiguration(<executa ble path>);
if (config != null)
{
ConfigurationSection section =
config.GetSection(<section name>);
if (section != null)
{
// Make sure that the section is not yet
protected
if (!section.SectionInformation.IsProtected)
{
if (!section.SectionInformation.IsLocked)
{
//Protecting the specified section
with the specified provider

section.SectionInformation.ProtectSection("RsaProt ectedConfigurationProvide*r");
// Force saving of the section
section.SectionInformation.ForceSave =
true;

config.Save(ConfigurationSaveMode.Modified);
}
}
}
}

Hope this helps.
Moty

Yes Moly this is a nice approach. Thanks a lot for the details and
code snippet.
But one problem we would face is changing the information in config
files. Installer would handle writing config info for once time only.
Once the config file has been stored and afterwards if user wants to
change the password(since he is a domain user and has to change
password) it would not be possible
for him to change it directly in config file, right?. Am thinking of
putting this in a seperate component probably a windows form
application so that user can change config options as and when
required.

Thanks,

Aneesh P

Dear Aneesh,

Protected sections are read only so I guess you'll need to unprotect
the section to edit the inforamtion and then protect it again.

see the following article:
http://msdn2.microsoft.com/en-us/library/53tyfkaw.aspx

Good luck.
Hope this helps.
Moty

On Jun 2, 3:28 pm, Moty Michaely <Moty...@gmail.comwrote:

On Jun 1, 12:41 pm, Aneesh P <anees...@gmail.comwrote:

On Jun 1, 1:59 pm, Moty Michaely <Moty...@gmail.comwrote:

On Jun 1, 11:10 am, Aneesh P <anees...@gmail.comwrote:

Thank you Moty for the info.

Actually i need to encrypt only the password fields and decrypt the
same fields in the code. That's requirement. I am thinking of using
TripleDESCryptoServiceProvider to encrypt the password. We can use one
ciphertext and one key. Key can be placed in config file. Can we
hardcode the ciphertext, considering the security aspects.Please
correct me if this approach is wrong.

Regards
Aneesh P

Hi,

First of all there has been lot's of discussions on whether to save
sensitive data in configuration files or not, and in my opinion try to
avoid it.

But, I guess you've considered the security issues.

You don't have to decrypt the data when using the ProtectSection
method. The framework doe's that for you. You load the setting
seamlessly.

I would use the RsaProtectedConfigurationProvider.

To be able to encrypt only the sensitive data, create a new section in
your application settings and encrypt only that section. I would
suggest passing the information in the installer context (Custom
Action).

Configuration config =
ConfigurationManager.OpenExeConfiguration(<executa ble path>);
if (config != null)
{
ConfigurationSection section =
config.GetSection(<section name>);
if (section != null)
{
// Make sure that the section is not yet
protected
if (!section.SectionInformation.IsProtected)
{
if (!section.SectionInformation.IsLocked)
{
//Protecting the specified section
with the specified provider

section.SectionInformation.ProtectSection("RsaProt ectedConfigurationProvide**r");
// Force saving of the section
section.SectionInformation.ForceSave =
true;

config.Save(ConfigurationSaveMode.Modified);
}
}
}
}

Hope this helps.
Moty

Yes Moly this is a nice approach. Thanks a lot for the details and
code snippet.
But one problem we would face is changing the information in config
files. Installer would handle writing config info for once time only.
Once the config file has been stored and afterwards if user wants to
change the password(since he is a domain user and has to change
password) it would not be possible
for him to change it directly in config file, right?. Am thinking of
putting this in a seperate component probably a windows form
application so that user can change config options as and when
required.

Thanks,

Aneesh P

Dear Aneesh,

Protected sections are read only so I guess you'll need to unprotect
the section to edit the inforamtion and then protect it again.

see the following article:http://msdn2.microsoft.com/en-us/library/53tyfkaw.aspx

Good luck.
Hope this helps.
Moty- Hide quoted text -

- Show quoted text -

Yes I've seen that we need to unprotect and modify the protected
section. Thanks for the link, it points to the right direction.