Encrypt a string in C# Settings.settings

Question

I have a password which I save on the Settings.settings file

and since it is a password, I need to encrypt it.

What are my possibilities, and how can I accomplish such a task? Is it possible to encrypt a string, and how do you decrypt it?

Answer 1

You could encrypt the password, but your code will need to have the decryption key built in. So it's not very secure. Anyone disassembling your code would have one extra step to take before they'd have the password.

You're likely better off using an AD service account, or some other security mechanism designed for this purpose. Security is hard; don't roll your own unless you absolutely have to!

Answer 2

Option 1: You can protect use SectionInformation.ProtectSection to encrypt it, or if it's an ASP.NET app you can use aspnet_regiis to encrypt it, iirc aspnet_regiis uses ProtectSection under the covers so in theory you could use this in command line if you wanted on a regular app. Can be done like below, to clear up all the cluttter from msdn article

// you will need to add ref to System.Configuration
Configuration config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);

// Get the section.
UrlsSection section = (UrlsSection)config.GetSection("MyUrls");


// Protect (encrypt)the section.
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");

config.Save(ConfigurationSaveMode.Full);

Option 2: Write up your own encryption decryption mechanism, check out System.Security.Cryptography to learn how to do this

Option 3: Use ProtectData (from System.Security.Cryptography) class to encrypt using user specific or machine specific encryption. This is simple, something like this will do.

byte[] aditionalEntropy = {9, 8, 7, 6, 5};
byte[] secret = {0, 1, 2, 3, 4, 1, 2, 3, 4};

byte[] protectedBytes = ProtectedData.Protect(secret, aditionalEntropy, DataProtectionScope.CurrentUser);
byte[] originalSecret = ProtectedData.Unprotect(protectedBytes, aditionalEntropy, DataProtectionScope.CurrentUser);

Note that method #1 encrypts using the machine key, and therefore can only be read back on the machine it was encrypted thus can be read back by any user running your app on the same machine. Method #3 is based on the user key (and specific to the machine iirc) so is the most restrictive. If you want to encrypt in one machine and make it readable across different machines, you'll need to go with option 2

Answer 3

First thing I'd ask ask - do you need to have an admin password in your application? If the answer is yes then it depends what you want to do. If you need to use the password for something then you can use aspnet_regiis to encrypt sections of your config file and be able to recover them again.

http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx

If the password is never going to be used, i.e. you are just expecting someone to login as the administrator and you want to check the password is correct then the best method to use is salting, which is basically a one-way encryption meaning that no one can recover your password. When you come to authenticate you simply repeat the process and validate the results against your salted password

http://en.wikipedia.org/wiki/Salt_(cryptography)

http://www.symantec.com/connect/blogs/would-you-care-some-salt-your-password

Hash and salt passwords in C#