2

I am trying to translate my PowerShell script into a C# WinForm. the form needs to carry out this process:

  1. Take a Username and Password you have provided, encrypt and save to a text file.
  2. a user logs onto a machine, runs another WinForm which can read the encrypted file and use the credentials.

Now, I was wondering, I could encrypt with AES using an AES key hard-coded into both WinForms. How can I ensure I keep the hardcoded key safe? Can I encrypt the compiled WinForm? What options do I have if this is not ideal?

I am writing all of this (hopefully) in C# with Visual Studio 2015 Community.

EDIT: DPAPI is not a viable solution, as the credentials will be used not only just in a separate solution, but also on a different machine, so the thread How to securely save username/password (local)? will not help me.

Community
  • 1
  • 1
Steve Ayers
  • 86
  • 8
  • can you store only hash of login and password? md5, sha? – Backs Nov 03 '15 at 11:13
  • so your fear is mostly the security of the encryption keys if they are hardcoded inside C#? For when for example someone decompiles the .exe – Thomas Nov 03 '15 at 11:27
  • for the hard coding it would be interesting to know if you have the key stored in a property or directly inside the code. I THINK that makes a difference (or at least can) – Thomas Nov 03 '15 at 11:29
  • Is it possible for me to encrypt my entire winform, so that if anyone decompiled, you can't read the data? This must be possible or people would just be constantly stealing code from major developing companies. – Steve Ayers Nov 03 '15 at 11:33
  • No - this is not a duplicate, as DPAPI only works on the same host as where it was created. – Steve Ayers Nov 03 '15 at 12:03

0 Answers0