RijndaelManaged Key generation

Question

I need to encrypt data and store it in a file and later be able to decrypt it back. For this I am using RijndaelManaged class. Now I do not want to keep the key hardcoded in the code. After some googling I found this method -

Here the key is generated but then all other values like passphrase, salt and IV are hardcoded. I do not have the option of letting the user enter the password, so I will also have to hard-code these values. So is this really safe? Can't some hacker use tools to find these hardcoded values and figure out the key?

score 6 · Accepted Answer · answered Sep 21 '09 at 19:22

6

You cannot store secrets hard coded in an application. Period. If the prize is worth it, the secret can be found.

Viable solutions are:

Use DPAPI through ProtectedData classes.
ask the user for a password
use hardware modules (like an user badge)

answered Sep 21 '09 at 19:22

Remus Rusanu

288,378
40
442
569

score 1 · Answer 2 · answered Sep 21 '09 at 19:20

1

I don't understand. You say you don't have the option for haveing a user enter the password so what are you envisioning. If your computer was magic and you could describe what you want, what is it you want?

answered Sep 21 '09 at 19:20

Jonathan Kaufman

314
2
15

RijndaelManaged Key generation

2 Answers2