encrypting connection strings for network installed application

[Chris Dunaway]

I have an application which is installed on a network share to be run
from one or more workstations. I have granted trust to the
applications on the workstations and the appropriate permissions on the
shared folder and the user's can execute the app with no problem.

I do have a problem, however, after the application starts. In the
application's .config file, the connectionStrings section of the file
is encrypted upon first run of the app (this is temporary). When
encrypted, the connectionStrings section can only be successfully
decrypted on the machine that first encrypted it. Other workstations
will not be able to run because they cannot decrypt the
connectionStrings section.

Here is the code used to encrypt the connectionStrings section of the
..config file:

//Encrypts the connectionStrings section of the .config file if
not already
static void ConfigEncryption()
{
string exeName = Assembly.GetExecutingAssembly().Location;

// Open the configuration file and retrieve
// the connectionStrings section.
Configuration config =
ConfigurationManager.OpenExeConfiguration(exeName);

ConnectionStringsSection section =
config.GetSection("connectionStrings") as ConnectionStringsSection;

//If the section is not already encrypted
if (!section.SectionInformation.IsProtected)
{
// Encrypt the section.

section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");

// Save the current configuration if we encrypted it
config.Save();
}
}

I believe my problem stems from the fact that when encrypted, the
encryption keys used are based on the machine that did the encrypting.
Other machines, because they do not have the keys, cannot decrypt the
connectionString. Somehow, I need to let the other workstations know
how to decrypt the connectionString section of the .config file.

Can anyone suggest any means to do what I want? What I want is the
following:

1. Be able to run the app from a network share from one or more
workstations.
2. Be able to encrypt the connectionStrings section of the .config
file.

Thanks for any information,

Chris

 

[Marc Gravell]

Well, have you tried looking into the DpapiProtectedConfigurationProvider? I
suspect you may be able to export the dpapi keys and import them into the
other user's (or machines) profiles. Perhaps. Maybe.

Marc

 

[Nicholas Paldino [.NET/C# MVP]]

Marc,

That's not going to work, as I think you have to base it either on the
machine, or the user, both of which will create a problem in this situation.

 

[Marc Gravell]

Fair enough; I was thinking of asp.net, where you can use aspnet_regiis with
"-pc -exp" (generate), "-px -pri" (export), "-pi" (import), "-pa" (grant
access) and "-pe" (encrypt) to share the encyption keys around a cluster.

Oh well... sorry if I only added confusion...

Marc

 

[William Stacey [MVP]]

If I may ask. Why not use integrated security, then you don't have to worry
about the connection string?

--
William Stacey [MVP]

|I have an application which is installed on a network share to be run
| from one or more workstations. I have granted trust to the
| applications on the workstations and the appropriate permissions on the
| shared folder and the user's can execute the app with no problem.
|
| I do have a problem, however, after the application starts. In the
| application's .config file, the connectionStrings section of the file
| is encrypted upon first run of the app (this is temporary). When
| encrypted, the connectionStrings section can only be successfully
| decrypted on the machine that first encrypted it. Other workstations
| will not be able to run because they cannot decrypt the
| connectionStrings section.
|
| Here is the code used to encrypt the connectionStrings section of the
| .config file:
|
| //Encrypts the connectionStrings section of the .config file if
| not already
| static void ConfigEncryption()
| {
| string exeName = Assembly.GetExecutingAssembly().Location;
|
| // Open the configuration file and retrieve
| // the connectionStrings section.
| Configuration config =
| ConfigurationManager.OpenExeConfiguration(exeName);
|
| ConnectionStringsSection section =
| config.GetSection("connectionStrings") as ConnectionStringsSection;
|
| //If the section is not already encrypted
| if (!section.SectionInformation.IsProtected)
| {
| // Encrypt the section.
|
|
section.SectionInformation.ProtectSection("RsaProtectedConfigurationProvider");
|
| // Save the current configuration if we encrypted it
| config.Save();
| }
| }
|
| I believe my problem stems from the fact that when encrypted, the
| encryption keys used are based on the machine that did the encrypting.
| Other machines, because they do not have the keys, cannot decrypt the
| connectionString. Somehow, I need to let the other workstations know
| how to decrypt the connectionString section of the .config file.
|
| Can anyone suggest any means to do what I want? What I want is the
| following:
|
| 1. Be able to run the app from a network share from one or more
| workstations.
| 2. Be able to encrypt the connectionStrings section of the .config
| file.
|
| Thanks for any information,
|
| Chris
|

 

[Chris Dunaway]

If I may ask. Why not use integrated security, then you don't have to worry
about the connection string?

Well, the simple answer to that is that I don't have control over that.
We just want to prevent casual browsing of the database. Encrypting
the connection string in this manner seemed a very simple way of doing
it.