How do I securely store my connection string in a windows application?

Question

4.00/5 (1 vote)

See more:

Hello,

First I want to say sorry for my bad English and the question itself.(because it has been asked a million times)
I've read a lot of webpages about connection string encryption/storing.
Some say you should store your connection string in your app.config file.(encrypted ofcourse)
Sadly, this is not possible for me because I want to be able to use the program on different windows machines.(so other people can use my program too)

So my question is probably a very hard question to answer.
But is there a way to encrypt your connection string or store it somewhere or what for method it may be.
So I can safely assume that my connection string is "safe enough". So I can spread the program across the internet. Without having to worry about someone trying to get my connection string out of my program.

I'm using Visual Studio 2013 for Desktop with the mysql.data.mysqlclient dll file.
The connection string contains a ip address, username, password, certfile, etc.
Its a external MySQL database on a linux server. not a .mdf file

I really hope someone could help me with this.

Posted 2-Sep-14 4:01am

Michel Jonk

Add a Solution

Comments

ZurdoDev 2-Sep-14 10:31am

All instances of your app will point to the same connection string?

Michel Jonk 2-Sep-14 10:40am

Yes the whole program uses one connection string.

ZurdoDev 2-Sep-14 10:43am

No, do all your instances of the app use the same one? If I had a copy here, and someone else had a copy in another country they all point to the same place? If so, you can encrypt into a file you include with your app.

Also, why can't you encrypt your connection string in app.config? You mention it is not possible but your explanation does not make sense.

Michel Jonk 2-Sep-14 10:50am

The connection string stays the same, doesn't matter which country someone lives in. They all are trying to connect to my MySQL server. All to the same IP address.

And why I cant encrypt my connection string in app.config. Because if someone else tries to decrypt it. Then it doesnt work because the encryption is machine specific. So it only works on my windows machine. Maybe im doing it wrong, but i dont know what I am doing wrong if that is the case. Btw thanks for helping.

ZurdoDev 2-Sep-14 11:01am

I believe encryption is still the best option. Of course you can also have a license on their machine that uses something specific from their machine and you store that in your db encrypted as well.

Michel Jonk 2-Sep-14 11:13am

Alright, I have still two question left. If I use encryption is this possible: http://msdn.microsoft.com/en-us/library/89211k9b%28VS.80%29.aspx App.config Example
Or is this not secure enough?

And how would I encrypt the connection string with the machine's details?
Because encrypting the connection string with specific information from the machine is a smart idea. But how would I encrypt the connection string. I'd first need the connection string in plain text. So I can encrypt it with the machine's details. And if I do this then I'd need to give my program the connection string in plain text. So it can encrypt it. But this will make my connection string viewable if not started for the first time. Or am I seeing this whole wrong?

ZurdoDev 2-Sep-14 11:17am

You could also write your own code to decrypt it instead of using .Net built-in and ship it out encrypted. But you're right, don't send it out in plain text anywhere. You need to deploy it encrypted already so it will not use the individual machines' information.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Marc Koutzarov · Answer 1 · 2014-09-02T06:56:00

Create somewhere a central web service and and send it to the application encrypted (use asymmetric encryption).

But I'm afraid it will not help you much because if someone uses a debugger he could easy grab the decrypted key from memory.

Take a look at this namespace "System.Configuration.SectionInformation.ProtectSection" and Hameer Salem's article on codeproject.