0

I'm trying to develop a C# Winform application, which connects to SQL database.

So far I was able to move the most sensitive data from my XML configuration file to an external XML configuration file, but that's it.

The last thing I have to do is to encrypt that file, as many people will have access to a directory in which application is located.

My main [APP] configuration file looks as follows:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<configSections>
</configSections>
<connectionStrings configSource="conn_string.config"/>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
</startup>
</configuration>

And there is my [conn_string] external configuration file in which I'm trying to hide a connection string:

<?xml version="1.0" encoding="utf-8" ?>
<connectionStrings>
<add name="myConnectionStringName"
providerName="System.Data.SqlClient"
connectionString="Data Source=ServerName;Initial 
Catalog=InitialDatabaseName;User=UserName;Password=MyPassword;Application Name=MyAppName" />
</connectionStrings>

Now when it comes to encryption I have read that asp-netregiis.exe is looking only for file named "web" so I temporarily renamed my "conn_string" file to "web"

And tried the encryption(via developer command line VS):

aspnet_regiis -pef "connectionStrings" "path_to_my_conn_string_file"

The result is: ~My translation

The web.config file doesn't contain a configuration tag

So I added one like this:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<connectionStrings>
<add name="myConnectionStringName"
providerName="System.Data.SqlClient"
connectionString="Data Source=ServerName;Initial 
Catalog=InitialDatabaseName;User=UserName;Password=MyPassword;Application Name=MyAppName" />
</connectionStrings>
</configuration>

Now it complains about: ~Again my translation

File format configSource must be an element conatining section name
mason
  • 31,774
  • 10
  • 77
  • 121
Nobody_really
  • 11
  • 4
  • First of all, you have to provide the containing directory in the **"path_to_my_conn_string_file"** section you mentioned. Then your config's name has to be web.config (not case sensitive). Do you try it like this? – turanszkik Mar 13 '20 at 12:20
  • Does this answer your question? [Encrypting the connection string in web.config file in C#](https://stackoverflow.com/questions/2460911/encrypting-the-connection-string-in-web-config-file-in-c-sharp) – Alejandro Mar 13 '20 at 13:31

1 Answers1

0

The steps you are taking that use aspnet_Regiis are really intended for web applications hosted in Internet Information Server (IIS). The file it is looking for is really "web.config." You mentioned that the app being constructed is a winforms application, which isn't a web application. Regular winforms applications are generally configured via a file called "app.config." Visual Studio may have created a base app.config for you depending on the version you're using.

You can "trick" aspnet_Regiis into encrypting your configuration file by temporarily renaming app.config to web.config, and then invoking aspnet_regiis with a flag that points to the exact path of our "phony" web.config:

For simplicity, let's say your initial app.config resides in c:\MyPrograms\MyApp.

  1. Rename app.config to web.config.
  2. From an administrative command prompt, set your current directory to c:\windows\micrsoft.net\framework\v4.0.30319

  3. Invoke aspnet_regiis, using the "-pef" switch to instruct the tool to encrypt a particular section of your web.config:

    aspnet_regiis -pef "connectionStrings" c:\MyPrograms\MyApp

  4. If you see a "Succeeded" message, rename your web.config back to app.config, and run your application. .NET should decrypt your connection string automatically at runtime on that machine.

If you need to put this application on other machines, you may need to consider setting up a common encryption key that can be installed on other machines as well as define a provider in web.config that leverages that key. But for now, let's get the basic process working locally, and then worry about the other components once we know this part is working.

Hope this helps!

David W
  • 10,062
  • 34
  • 60
  • Ok I did like you said and it worked. But now I'm holding everything in one config file. – Nobody_really Mar 13 '20 at 13:34
  • I don't know of any mechanism that will allow you to store credentials within a separate configuration file. The .NET configuration structure was designed, at least as far as I have ever understood, to work within the confines of app.config or web.config (as appropriate). You might need to adopt a custom solution within your app if you must retain encrypted credentials separately. – David W Mar 13 '20 at 13:36
  • My main problem with holding everything in one config file is that when I push my code to the remote repository, I would have to exclude(git ignore) entire config file. I don't know maybe that's completely fine, but when I saw, that there is an opportunity to divide this config file, so I can hold my connection string elsewhere, then i thought that may look more professional. What do you think? – Nobody_really Mar 13 '20 at 13:43
  • I've always held the encrypted configuration data in app.config or web.config, and that would be my suggestion to you. In our environment, we long ago built a single encryption key that we installed on our local (Dev) boxes and our webservers, allowing a single encryption provider to encrypt/decrypt everything on the fly. – David W Mar 13 '20 at 13:46
  • Guess I will stick to your advice. Thanks! – Nobody_really Mar 13 '20 at 13:58
  • Glad to have been of help. – David W Mar 13 '20 at 14:37