473,320 Members | 1,904 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Encrypt ConnectionString in a *WINFORMS* App

OK, I know how to encrypt and decrypt data, but here's the deal:

I have a large Winforms .NET 2.0 application which is currently storing
the connection string in the app.config file unencrypted (currently
using Windows integrated security, so there's no password). There are
only 3 users using the app right now, but that will change soon and
we're not going to have our DBAs add every user to the database... Our
data entry personnel have a high turn-over rate. We do have one SQL
Server account and password that the app needs to be using.

So, Like I said, I know how to encrypt/decrypt strings, but my
question is, how do I add the decryption in my app so that I don't have
to Make tons of changes everywhere in the app? The app uses typed
datasets everywhere that somehow get their connectionstring from the
appconfig. If I encrypt it in appconfig, how will all these components
know how to decrypt it?

I'm sure (hoping) it's something simple, but heck if I can find it!!

Any help would be greatly appreciated!
Thanks!

Apr 27 '06 #1
4 4671
Aha!!

I finally figured it out:

In Settings.cs, I added an event handler to SettingsLoaded. In that
handler, (which is called right after the connection string is read
in), I added the following:

this.PropertyValues["MyAppConnectionString"] = /* my decrypted string
*/

Viola!

Damn! I'm good! :)

Apr 27 '06 #2
<go****@easiesttoremember.com> wrote in message
news:11**********************@v46g2000cwv.googlegr oups.com...
OK, I know how to encrypt and decrypt data, but here's the deal:

I have a large Winforms .NET 2.0 application which is currently storing
the connection string in the app.config file unencrypted (currently
using Windows integrated security, so there's no password). There are
only 3 users using the app right now, but that will change soon and
we're not going to have our DBAs add every user to the database... Our
data entry personnel have a high turn-over rate. We do have one SQL
Server account and password that the app needs to be using.

There is a better way. Set up a domain group to have access to your
database. When a new user comes into the company, add them to the domain
group. They now have SQL access. Alternatively, if you want Everyone to
have access, add the Domain Users group to your database. Now all domain
users will have access. No need for DBA access at all.

Problem solved. Stick with integrated security. It works.

That said, if you really want to look at encrypting the config section of
your config file, see
a.. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI,"
at http://msdn.microsoft.com/library/en...AGHT000005.asp.
b.. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA" at
http://msdn.microsoft.com/library/en...AGHT000006.asp.
These work in web.config but I believe they also work in app.config. (not
100% certain).

--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--
May 3 '06 #3
Nick Malik [Microsoft] wrote:
<go****@easiesttoremember.com> wrote in message
news:11**********************@v46g2000cwv.googlegr oups.com...
OK, I know how to encrypt and decrypt data, but here's the deal:

I have a large Winforms .NET 2.0 application which is currently storing
the connection string in the app.config file unencrypted (currently
using Windows integrated security, so there's no password). There are
only 3 users using the app right now, but that will change soon and
we're not going to have our DBAs add every user to the database... Our
data entry personnel have a high turn-over rate. We do have one SQL
Server account and password that the app needs to be using.

There is a better way. Set up a domain group to have access to your
database. When a new user comes into the company, add them to the domain
group. They now have SQL access. Alternatively, if you want Everyone to
have access, add the Domain Users group to your database. Now all domain
users will have access. No need for DBA access at all.

Problem solved. Stick with integrated security. It works.

That said, if you really want to look at encrypting the config section of
your config file, see
a.. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI,"
at http://msdn.microsoft.com/library/en...AGHT000005.asp.
b.. "How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA" at
http://msdn.microsoft.com/library/en...AGHT000006.asp.
These work in web.config but I believe they also work in app.config. (not
100% certain).

--- Nick Malik [Microsoft]
MCSD, CFPS, Certified Scrummaster
http://blogs.msdn.com/nickmalik

Disclaimer: Opinions expressed in this forum are my own, and not
representative of my employer.
I do not answer questions on behalf of my employer. I'm just a
programmer helping programmers.
--


Yes, I had read plenty about DPAPI and such, but how am I supposed to
use ASP.NET configuration encryption stuff on a WinForms app? It
doesn't look like it's intended for WinForms apps and it seems like an
enormous amount of effort for no apparent improvement or gain over the
current method I'm using now.... which is basically one method added
and one line to call it... zero machine configuration, no IIS, etc...

The problems with integrated security are:

- Our admins (who are across the country) don't get around to creating
new domain users for several days up to a week. Our data entry
employees can't sit around that long with nothing to do, especially
because of the nature of temporary project that uses this app and the
high turn-over rate in the data entry positions.

- Once in a while, we need to terminate someone and block their access
immediately. We need a local "app admin" to create and delete user
accounts on demand.

- We also need extremely, granular, application security that can't be
performed at the SQL Server level, nor the Windows level. We need
specific groups and specific users to have access (or be specifically
denied access) to certain application objects and features.

So, as nice as integrated security is, it's just not an option.

I appreciate the information though. I do intend on looking more
closely at DPAPI for my ASP.NET apps.

Thanks!

May 8 '06 #4
go****@easytoremember.com,

I am curious as to where exactly you will be storing the decryption key
for the connection string of your Winform application.

This is something I am still struggling with myself. All the
documented automagic methods for dealing with this seem geared more
toward ASP.Net and/or Windows services.

May 15 '06 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: wqhdebian | last post by:
As far as I know,when encrypt or decrypt ,a key must first be got,and the key is first generate by a tool or from SecurityRandom,that means I can not generate the same key with the same input.Does...
1
by: Tommy | last post by:
I want to encrypt the values of my cookies. I found out that I could create a FormsAuthenticationTicket, and use the FormsAuthentication.Encrypt method to encrypt the cookie. However, I do not...
3
by: Henry | last post by:
Hi, my asp.net application is accessing a mssql on another server. This works fine when I use this in my web.config file: <add key="dbkey"...
2
by: Chen | last post by:
I have a project which contain several WinForms. I put a SqlDataAdapter in Many of the Forms. I want these SqlConnection1.ConnectionString Point to the same SQL Server. So I create a Global Const...
0
by: Dino Buljubasic | last post by:
How to encrypt connectionString values in EL DAAB 2.0 ? Info I am finding in documetation of EL 2.0 does not talk about this. Info I am finding in documetation of .NET 2.0 talks about...
1
by: Marc B. | last post by:
I've been beating my head against the wall trying to do what appears to be really straight forward. I've been attempting the Walkthrough: Creating and Exporting an RSA Key Container...
0
by: Alex Sadomov | last post by:
Hi all I have a custom configuration section in the App.config file of the console application: --------------------------------------------------------------------------- <configuration>...
3
by: Michael Moreno | last post by:
Hi, We have an app that is made of many exes (WinForms and Win32 app). All those exes share and read their DB connection string from the registry. This guarantees that all the exes use the...
2
by: rockdale | last post by:
I followed this article, http://msdn2.microsoft.com/en-us/library/zhhddkxy.aspx My command is: aspnet_regiis -pe "connectionStrings" -app "/myWebSiteName" -site 711831 -prov...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.