I've seen lots of ways of doing it, but technically nothing is secure as long as someone can see the encrypted output. I've seen it put in the registry, put in machine.config, encrypted, not encrypted, base 64 encoded. None of them are truly secure since as long as someone can get to the specific file, they can attempt to decrypt it.
I'm pretty sure your most secure way would be to use (providing you're using SQL Server) integrated authentication. It can be a pain to set up your webservers or to make sure all your winforms users are part of the appropriate group, but that way your connection string can't be compromised. Adam.. -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] On Behalf Of Eddie Lascu Sent: Thursday, December 09, 2004 9:54 AM To: [EMAIL PROTECTED] Subject: [ADVANCED-DOTNET] How and where to store securely a database connection string I would like to hear about different options to securely store a database connection string. In the past we used to hard code it but that meant that we will never be able to change it unless we were ready to recompile the hole application/system (or at least parts of it). With .NET the app.config file is an easy place to put it. It's convenient because you can change it with a simple text editor (Notepad). You don't need to recompile your application, a restart would be enough (ASP.NET doesn't even need that). However, it's not really secure because everyone can have access to it. Is there a way to encrypt the app.config or at least parts of it? I guess I could encrypt the connection string and store it in the app.config. I could include the decryption algorithm in my app but then I would need a different application to be able to decrypt the string, change it and encrypt it back into the app.config. I am really curious about what are different options here. =================================== This list is hosted by DevelopMentor� http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com
