Encrypting the connection string for Windows applications can be easily done in a few simple steps explained in this article.
Wanting to secure connection strings for Windows applications, I read in the
.NET Framework Developer's Guide which explains that "ASP.NET 2.0 provides a new feature, called
'protected configuration', that enables you to encrypt sensitive information
in a configuration file. Although primarily designed for ASP.NET, protected configuration
can also be used to encrypt configuration file sections in Windows applications."
Using this guideline, I was able to encrypt and decrypt my connection strings
in my application on my computer, but upon distributing the application, the following
error occurred: "Failed to decrypt using provider 'MyUserDataProtectionConfigurationProvider'.
Error message from the provider: Key not valid for use in specified state. (Exception
from HRESULT: 0x8009000B)", as described in "How
To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI".
This error occurs because the key used to decrypt the string is machine specific
To get around this problem, Hameer Saleem wrote an excellent article, "Implementing
Protected Configuration With Windows Apps," explaining how to
encrypt application settings on distributed applications through the Windows installer.
Being based on Hameer Saleem's article, this article is very similar to it, but
leaves out a step or two and focuses on connection strings.
Using the Code
string in the Application
- Add an installer class and
override the install method
- Add a Setup Project with a custom action containing the project's primary output
- Install the application
1. Store connection string in the Application Settings
Create a new
project and in the
Settings page of the
Project Designer, create a new
Application Setting for the
connection string. In this example, the project is called "MyConnectionString"
and the connection string
Application Setting is called "ConnectionString".
How to: Create
Application Settings Using the Designer
By creating a new Application
Project Designer will create a settings class which exposes the connection string to the project through the Properties namespace,
making it easy to access the connection string from code. Application settings are
accessed using the
Properties.Settings.Default object, as shown below:
string databaseConnectionString = Properties.Settings.Default.ConnectionString;
For detailed information, see "Using Settings in C#"
Designer will also create an
application configuration file, called app.exe.config (where app
is the name of your main executable file), which will contain the
Application Setting of the
<?xml version="1.0" encoding="utf-8" ?>
Catalog=AdventureWorks;Integrated Security=True" />
2. Add an installer class and override the install method
To protect the connection
string, add the System.Configuration reference, add an
Installer Class to the project and then override the
Install Method in that class with the following code:
public override void Install(IDictionary stateSaver)
Configuration config = ConfigurationManager.OpenExeConfiguration(
ConfigurationSection section = config.GetSection("connectionStrings");
How to: Add
New Project Items
With the System.Configuration.ConfigurationSection, one can get an application settings
section from the application configuration file and encrypt it using the Window
Data Protection API or the RSA encryption algorithm. In this example, I'm
getting the "connectionStrings" section of the application
configuration file and encrypting it using the
Window Data Protection API.
For more information, see
Securing Connection Strings
3. Add a Setup Project with a custom action containing the project's primary output
Then, one needs to add a
Setup project to one's solution which contains the project's primary output
Select the Custom
Actions Editor and add a
Then select the primary output for your application. In this case, it's the
primary output for MyConnectionString
4. Install the application
That's it. Now, when the application is compiled and installed, the application
configuration file will be protected to look like this:
When run, the program will decrypt the protected data and return
the correct string