Thanks all. I found the CryptoStream class and an example of its use... Unfortunately that raised the question of "Ok, so now where do we store our key in the app, so that no one can pull it out and use it, except for the app." At which point the answer was, why didn't you research this before suggesting it? Ok, lets go back to plain text passwords. I did suggest password hashes, but they are one way and the requirement is that an Admin can read them. I think I lost.
Not real impressed with teh ProtectedData class encrypting it per machine/user. I didn't realise until another developer tried to use it and the penny dropped. Encrypted egg on my face. doh! Last time I did this stuff was years ago and I think I was dealing with the Cryptography namespace. I remember a key and an iv (salt right?) but not sure how we kept the key safe. I imagine if the key was to be put into an XML file that is encrypted (here we go again!!) then the assembly would need to be signed to keep it safe? Good link that Thomas, thanks. Might forward it to the boss so he sees how simple encryption is. (NOT) On Fri, Mar 22, 2013 at 10:50 AM, Jason Roberts <[email protected]> wrote: > Hi, yeah sounds like a key to the encryption / decryption is probably what > you want assuming there are multiple boxes and/or you want option to scale > out. I think you can just use the stuff in the Cryptography namespace. > Just bear in mind that securing the keys will be important. But it would be > better to use a one way hash (salted) and just let admins reset the > password, more secure, and possible audit problems?? But don't know the > specific requirements though. > ------------------------------ > From: Stephen Price > Sent: 22/03/2013 10:06 AM > > To: ozDotNet > Subject: Encryption > > Hey all, > > http://msdn.microsoft.com/en-us/library/ms229741.aspx > > "...which allows you to encrypt data using information from the current > user account or computer. " > > I'm using ProtectedData to encrypt and decrypt passwords so they can be > stored in database encrypted, but they want to be able to see what the > password is for administrators. It all works great except when a user logs > in (using a custom principal, not the user who did the encryption.. ie the > Admin) and it doesn't work as the user is different, or the machine is > different. > > I'm looking for a way to encrypt and decrypt at an app level rather than > user/machine level. Don't mind if keys are involved. Anyone done this and > is there a framework class somewhere for that? > > cheers, > Stephen >
