VB 2008 App - Encrypt Database Connection String in App.Config


  • I know this topic has been addressed a million times but please help me out.  I have read so many articles on HOW TO encrypt and decrypt the app.config file but I need to know WHEN and WHERE I should encrypt it.

    The problem arose because we found an AppName.exe.config file on a users computer and the database username and password was clearly visible.  I understand that the .config file gets created during the VB app install process and is used by the application.  I then learned about the aspnet_regiis.exe tool and ran it on the app.config file inside my VB project.  I am guessing that was the wrong thing to do.

    When I now install the app on user desktops, it gives an error stating failed to decrypt the connection string.  Also, when one of my other developers attempts to open the project in his copy of visual studio on his computer, he receives an error when trying to access the setting portion of the project properties.  We store all of our projects on a file server and any developer can access the projects via a mapped drive on their computer.

    So how am I supposed to encrypt the .config file.  If I can't encrypt the App.config file in the development environment, then I'm guessing I have to perform the encryption on the users PC during the install process?  How do I do that?  Or is that what I am supposed to do?

    Just for reference, here is the aspnet_regiis command I ran.

    aspnet_regiis.exe -pef "connectionStrings" S:\Projects\Development\\PTPU\SourceCode\PTPU -prov "DataProtectionConfigurationProvider"

    One last thing, maybe it's my misunderstanding of the issue but if this problem has existed since .Net 2.0, why has an option not been built into the development studio to encrypt connection strings?.  This would seem to be a very common issue, even their own dataset wizard creates connection strings that are clearly readable.

    Wednesday, September 21, 2011 3:57 PM


All replies

  • Another question, why do you still use server security like in 1985 instead of integrated security. With integrated security the connectionstring shows only the place where the server residence.

    Wednesday, September 21, 2011 4:13 PM
  • Really it's for simplification of management. I have a small I.T. department (myself being manager, developer and tech, 1 full time developer and 1 full time tech). We support over 200 PC's with mixed OS's, terminal sever environment with over 100 users, manage 14 server's, develop our own programs and ERP enhancements and install all our own wiring in 9 locations across the U.S.A. Call me lazy, but I don't want to have to deal with 200+ logins for SQL.

    I probably need 3 more people to run this I.T. department correctly, but I have to work with what I am given. I don't work in an environment that is conducive to learning, or perhaps, coding the "new way".

    Please can someone help me make this work the way I need it to?

    • Edited by DN1962 Wednesday, September 21, 2011 6:22 PM
    Wednesday, September 21, 2011 6:11 PM
  • So I had to try and reverse the encrption to the app.config file and it wasn't working so I deleted it from the solution explorer with the intention of recreating it.  I deleted it and closed visual studio.  I then reopened VS and checked the settings section in the project properties expecting the connection string to be gone.  It wasn't!  Eveything I had set was still present.  I checked the file system and the app.config was gone.  I recomplied the installer and did a clean install of my app expecting the program not to work.  It did!  The AppName.exe.config is no longer present.

    What is going on?  If the connection string doesn't need to be in the app.config file, why does it get created in there? 

    Wednesday, September 21, 2011 7:46 PM
  • I would still like to know how I'm supposed to use encryption on the app.config file in case I have to use it for something else.

    Wednesday, September 21, 2011 8:39 PM
    • Proposed as answer by Cor LigthertMVP Thursday, September 22, 2011 6:53 AM
    • Marked as answer by DN1962 Thursday, September 22, 2011 12:25 PM
    Thursday, September 22, 2011 4:06 AM
  • Thankyou.

    The third link looks like it will address my issue.  I had already looked through several code project articles but did not find the one you listed.

    Thanks again.

    Thursday, September 22, 2011 12:25 PM