1

Recently I've faced an interesting requirement from one of my clients:

If you have to store login / password in a .config file, it can't be stored in clear text. Moreover, if you think of encrypting this data in a .config file, the encryption key can't be hardcoded in source code.

Sample config section with sensitive data:

    <configSections>
    <section name="PayUSettings" type="JobSystem.Payments.PayU.PayUSettings, JobSystem.Payments" />
  </configSections>

<PayUSettings PosId="265898" Login="xxx" Password="yyy" IsTestMode="False" />

What are the possible solutions to fullfill this requirement?

Carey Gregory
  • 6,836
  • 2
  • 26
  • 47
Macko
  • 906
  • 3
  • 11
  • 27
  • Use a smartcard usb stick to store the private key, lock that stick up in a safe and hope for the best. You need to store the key somewhere readable. – Jens Jun 07 '15 at 17:12

1 Answers1

1

Luckily .NET already provides this functionality for you the ProtectedConfiguration Provider. This can use the machine or user level key containers that are built in to windows to store the key information.

https://msdn.microsoft.com/en-us/library/53tyfkaw(v=vs.80).aspx

If this is a web application then IIS makes this super simple to encrypt any section of the web.config file using aspnet_regiis.exe. See link here:

https://msdn.microsoft.com/en-us/library/zhhddkxy%28v=vs.140%29.aspx

If this is not a web application then it is a bit harder (but not much) as you need to implement the ProtectedConfiguration provider yourself. An example how to do this is available here:

https://msdn.microsoft.com/en-US/library/dtkwfdky(v=vs.80).aspx

bechbd
  • 6,206
  • 3
  • 28
  • 47