locked
How to hide SQL Server password from user in an Windows Forms Application? RRS feed

  • Question

  • Using - VS 2005, SQL Server 2005 Express, Windows Forms Application

    Problem-

    I am unable to find a way that hides the password to connect to database in case of a Windws Forms Application.

    - app.config is accessible to the user, so connection strings an be read.

    - app.config can't be encrypted as in case of ASP.NET applications

    - hardcoding the password in the application in connectionstring still makes it possible to be discovered by a user


    Vibhor Agarwal
    Saturday, October 23, 2010 5:35 PM

Answers

  • Can i just add it to my application and it will encrypt the app.config

    Do i need to decrypt evry timethe applicatini connect to the database?

    The app.config encryption is transparent to you application; the operational code is identical with or without the encryption.  You only need to encrypt the connection string section once, usually during installation (most secure) or application startup.  Below is sample code gleaned from the toggle example to perfom the initial encryption that can be included in your installer or application initialization code.  In practice, you dont need to routinely unprotect a section once it's been protected.

            Configuration config = ConfigurationManager.
              OpenExeConfiguration(ConfigurationUserLevel.None);
              //OpenExeConfiguration(ConfigurationUserLevel.PerUserRoaming);
              //OpenExeConfiguration(ConfigurationUserLevel.PerUserRoamingAndLocal);
    
            ConnectionStringsSection section =
              config.GetSection("connectionStrings")
              as ConnectionStringsSection;
    
            if (!section.SectionInformation.IsProtected)
            {
              // Encrypt the section.
              section.SectionInformation.ProtectSection(
                "DataProtectionConfigurationProvider");
              config.Save();
            }
    

     


    Dan Guzman, SQL Server MVP, http://weblogs.sqlteam.com/dang/
    • Marked as answer by Vibhor Agarwal Thursday, October 28, 2010 6:27 PM
    Sunday, October 24, 2010 3:11 PM

All replies

  • You can encrypt sensitive configuration information in the app.confiig.  See http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx for details on now this can be done in both Windows Forms and ASP.NET.
    Dan Guzman, SQL Server MVP, http://weblogs.sqlteam.com/dang/
    Saturday, October 23, 2010 7:04 PM
  • @Dan Guzman

    The App.config Example in the link u provided lists a Toggle function

    static void ToggleConfigEncryption(string exeConfigName)
    {

    .......
    }

    Can i just add it to my application and it will encrypt the app.config

    Do i need to decrypt evry timethe applicatini connect to the database?


    Vibhor Agarwal
    Sunday, October 24, 2010 12:58 PM
  • Use Windows Authentication and then you do not need to provide pass in connection string
    Best Regards, Uri Dimant SQL Server MVP http://dimantdatabasesolutions.blogspot.com/ http://sqlblog.com/blogs/uri_dimant/
    Sunday, October 24, 2010 1:07 PM
  • Can i just add it to my application and it will encrypt the app.config

    Do i need to decrypt evry timethe applicatini connect to the database?

    The app.config encryption is transparent to you application; the operational code is identical with or without the encryption.  You only need to encrypt the connection string section once, usually during installation (most secure) or application startup.  Below is sample code gleaned from the toggle example to perfom the initial encryption that can be included in your installer or application initialization code.  In practice, you dont need to routinely unprotect a section once it's been protected.

            Configuration config = ConfigurationManager.
              OpenExeConfiguration(ConfigurationUserLevel.None);
              //OpenExeConfiguration(ConfigurationUserLevel.PerUserRoaming);
              //OpenExeConfiguration(ConfigurationUserLevel.PerUserRoamingAndLocal);
    
            ConnectionStringsSection section =
              config.GetSection("connectionStrings")
              as ConnectionStringsSection;
    
            if (!section.SectionInformation.IsProtected)
            {
              // Encrypt the section.
              section.SectionInformation.ProtectSection(
                "DataProtectionConfigurationProvider");
              config.Save();
            }
    

     


    Dan Guzman, SQL Server MVP, http://weblogs.sqlteam.com/dang/
    • Marked as answer by Vibhor Agarwal Thursday, October 28, 2010 6:27 PM
    Sunday, October 24, 2010 3:11 PM
  • @uri dimant

    i can't do this coz password is a requirement


    Vibhor Agarwal
    Monday, October 25, 2010 1:54 PM
  • @dan guzman

    i am not going to build an installer. i will just distribute the bin/Debug or bin/Release folder

    so acc to ur post  you mean to say if in a normal forms application with a app.config file what i do is

    1. add the toggle function to the app before the statement Application.Start(new Form1()); in Program.cs

    2. execute it just once by running the application and them remove the toggle function

    and my app.config in encrypted and i just can continue developing my applcation.

    Sorry i m not currently in posssesion of the laptop on which i am developing the app otherwise i would have tried this instead of just talking in air.


    Vibhor Agarwal
    Monday, October 25, 2010 2:01 PM
  • You will not be able to decrypt a config file that was encrypted with your machine key on another box by default.  If you need to distribute an encrypted config file, you will need to also distribute the associated keys and configure the configuration provider accordingly.  This is not trivial and will require a more robust deployment solution.  Personally, I would use an installer rather that xcopy so that you can encrypt the configuration during deployment rather than before or afterward.


    Dan Guzman, SQL Server MVP, http://weblogs.sqlteam.com/dang/
    Tuesday, October 26, 2010 12:11 PM
  • suppose i am not going to distribute the app

    IS THIS CORRECT

    in a newly created windows forms C# project with a app.config file what i do is

    1. add the toggle function in Program.cs before the statement Application.Start(new Form1());

    2. let it execute just once by running the application and them remove the toggle function

    and my app.config in encrypted and i just can continue developing my applcation.

     


    Vibhor Agarwal
    Tuesday, October 26, 2010 7:36 PM
  • Yes, you will be fine using the encrypted config file on your pc for development because it can be decrypted using your machine's key.  Just remember that you won't be able to decrypt the values on another box.
    Dan Guzman, SQL Server MVP, http://weblogs.sqlteam.com/dang/
    Wednesday, October 27, 2010 12:19 AM
  • @dan guzman

    you will be fine using the encrypted config file on your pc for development

    that means i can develop and debug my app while the file was in encryptd form (encryption is transparent to Visual Studio)

    sorry for asking it again , just confirmimg & preventing a misunderstanding from my part


    Vibhor Agarwal
    Wednesday, October 27, 2010 1:25 PM
  • Yes, you outght to be able to use the encrypted config file on your machine.  The fact that config sections are encrypted is transparent to your code.
    Dan Guzman, SQL Server MVP, http://weblogs.sqlteam.com/dang/
    Wednesday, October 27, 2010 10:49 PM