0

I have a windows form written in vb.net and I want to encrypt the connection string in app.config and distribute it to other machines. I can encrypt it fine on the machine its compiled on but it does not work on other machines because the encryption is tied to that machine. How can I make it so other machines within my domain can use it ? I am connecting to a database that people would not have access to without the app so I cannot use domain credentials.

djv
  • 15,168
  • 7
  • 48
  • 72
Gdog
  • 21
  • 1
  • If you're using [Protected Configuration](https://learn.microsoft.com/en-us/previous-versions/aspnet/53tyfkaw(v=vs.100)) then you need to use the RSA option, not the DPAPI. – jmcilhinney Sep 15 '20 at 13:56
  • Here is a [class](https://github.com/karenpayneoregon/SecureConnectionStringsVisualBasic/blob/master/ConfigurationLibrary_vb/ConnectionProtection.vb) for encrypt/decrypt connection strings. – Karen Payne Sep 15 '20 at 15:56
  • Since this is a Windows forms app, a simple option is to use 3DES encryption methods on the connection string value and store an encrypted version of it that's decrypted at runtime. I just posted about it [here](https://stackoverflow.com/questions/63922001/how-to-protect-my-file-from-sending-to-skype-or-upload-to-cpanel) if you want to see what's involved. There are obviously other solutions. However I'm not clear why you can't get the logged-in user's identity, how authentication to the database is occurring, are you hard-coding credentials in the connection string, etc. – technonaut Sep 16 '20 at 20:31
  • Hi guys, TY for your answers. I found a much easier solution from a colleague. Instead of using a connection string with a username and password, being this is an internal app and all users are internal in the same domain, I am using Security Support Provider Interface (SSPI). All I needed was read only access to a few table so this works well. – Gdog Sep 17 '20 at 21:17

1 Answers1

0

It's "simple" really; you just distribute a connectionstring that cites a uer with the minimum permissions required to let the application work or, if your appetite for hacking doesn't extend that far, you create a webservice that does all the grunt work and you never release the connection string at all. If you don't want a web service, you might be able to achieve the same end result by using stored procedures and restricting access to tables directly

Thinking that you can encrypt a connection string in a config, and then bundle with it an application that has to decrypt it to make use of it, is something of a fool's errand. If you don't want someone to know something, you don't give it to them in the first place!

Caius Jard
  • 72,509
  • 5
  • 49
  • 80