4

I am writing a Windows Forms application for public distribution that utilizes a cloud database. I need to encrypt the connection string in the published app.config file. I am using Entity Framework and .net 4.5 for this project. From what I've read (and it may be wrong), EF does not automatically decrypt connection strings. How do I accomplish that?

Improve this question
12
  • possible duplicate of Entity Framework Encrypt Connection String Commented Oct 1, 2013 at 18:51
  • 3
    Clearly not a duplicate. I'm asking about Windows Forms, not ASP.Net. Commented Oct 1, 2013 at 18:59
  • @PaytonByrd the concept is the same. Commented Oct 1, 2013 at 19:09
  • 3
    @DanielA.White yes but running aspnet_regiis (which is what the only answer for that question says to do) is not a option if you are not using IIS. Commented Oct 1, 2013 at 19:11
  • 1
    Guys, please understand that I'm NOT using ASP.Net, which means there's not any automatic decryption by the web server. If you read the articles posted here and in the other "answer" it clearly states that the solution is for ASP.Net. I AM NOT USING ASP.NET Commented Oct 1, 2013 at 19:12

2 Answers 2

Reset to default
0

You should use Windows authentication. If you give the users an encrypted connection string and expect them to pass it back unencrypted then you have to give them the means to decrypt basically the public key which is a security no no. You may be able to encrypt the string in the file and have the application pass it up to a WCF or REST service that holds the private key, decrypts, establishes connection to the database, and makes the query to the database. But that still makes the encrypted value as good as a password. This is why you need to use windows authentication so the user can provide his credentials and you authorize them. That way you can control who is accessing the database and the user is the only person with access to their password (theoretically anyhow).

This is also why ASP.Net has this functionality and WinForm apps don't ASP.Net apps run in a controlled server environment where they can have access to a private key without sharing it with the world.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Windows authentication is impossible. This is a public application hitting a central database, not an internally distributed app.
-2

To expand on my comments to make it an answer, you can use aspnet_regiis. Rename your app.config to web.config, then follow the steps described in

Encrypting sections and-or settings in an App.config file that will be redistributed

After it is done, rename the file back.

Improve this answer

1 Comment

This method requires that same machine key is used on all clients. So this method does not really protect connection string data.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.