How to safely store API credentials in a SQL Server database?

Question

In my Windows service I need to be able to retrieve credentials for a third-party REST API that is stored in my SQL Server 2012 database that is on the same network. Each of my customers may have a different API credential assigned to them. For example:

Customer Name | API ID | API Password In Plain Text
-----------------------------------------------------
Customer 1      1234     somepassword
Customer 2      1234     somepassword
Customer 3      5678     anotherpassword

In the first iteration of this service, all of the customers used the same API credential and it was encrypted in the app.config of the Windows service using SectionInformation.ProtectSection.

Do I just use one the encrypt/decrypt methods provided by the .NET framework and store that value in the database? For example, one the solutions provided here: Encrypting & Decrypting a String in C#? Any suggestions or other solutions I can look into?

Maybe look at using MS ProtectedData Class - https://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata(v=vs.110).aspx — SyntaxGoonoo, May 10 '16 at 03:26

score 1 · Answer 1 · answered May 10 '16 at 19:21

As suggested by @SyntaxGoonoo I plan to use the ProtectedData Class provided by the data protection API (DAPI). I'll set the DataProtectionScope to run as the CurrentUser associated with the Windows service to decrypt the credentials from the SQL database. I'll probably have to make another application that encrypts the credentials and stores it in the database (using the same user context).

Here's some additional resources:

How to: Use Data Protection

How to safely store API credentials in a SQL Server database?

1 Answers1