Storing Secrets

Nikolay Petrov · Nov 10, 2004

When using System.Security.Cryptography to Encrypt/Decrypt information, I
need to store two values - the Initialization Vector and the Encryption Key.
The are both needed in Encryption/Decryption process.
Where I can store them securely, because if they are compromized, everyone
can decrypt the encrypted information?
I guess, that it is stuped to leave them in code!

TIA

Richard Myers · Nov 10, 2004

Nikolay Petrov said:
When using System.Security.Cryptography to Encrypt/Decrypt information, I
need to store two values - the Initialization Vector and the Encryption Key.
The are both needed in Encryption/Decryption process.
Where I can store them securely, because if they are compromized, everyone
can decrypt the encrypted information?
I guess, that it is stuped to leave them in code!

TIA

That depends on the values of the initiliasation vector/encryption key plus the site on which they
intended to be used.
In order for us to help you better, please post both values here along with any Urls/public networks
upon which you intend to use them.

Sincerely
Richard

Nikolay Petrov · Nov 11, 2004

I have an WebService and Windows Froms app, which both need to store
encrypted information in files, Windows Registry and SQL server.
In windows registry I store the encrypted SQL connection string. In SQL db I
store usernames, passwords and other sensitive information. In file is store
information download from my WinForms app to my clients.

I red that storing things in code i.e.
Dim encKey as string = "123456789012345"
is not save.
I have an idea that the encryption key is to be ganarated from a function.
Is this going to be more secure?

Richard L Rosenheim · Nov 12, 2004

You might wish to look into DPAPI.

Here's some links (in no particle order):

http://msdn.microsoft.com/library/en-us/secmod/html/secmod21.asp
http://msdn.microsoft.com/library/en-us/secmod/html/secmod22.asp
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT08.asp
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT07.asp
http://msdn.microsoft.com/library/en-us/dnsecure/html/windataprotection-dpapi.asp

Richard Rosenheim

File Encryption/Decryption problem	3	May 3, 2008
Encryption in C#	6	Nov 24, 2009
User Name and Password in Config file	1	Jun 19, 2006
how safe is it using private member as encryption key	10	Jan 4, 2008
Same encryption codes cannot decrypt password from .NET 1.0 to 2.0	4	Dec 16, 2005
Example of encryption	4	Apr 4, 2006
Encrypt/Decrypt Credit Card Data	7	Jun 25, 2009
Encrypting and Decrypting AppConfig	1	Jul 25, 2008

Storing Secrets

Nikolay Petrov

Richard Myers

Nikolay Petrov

Richard L Rosenheim

Ask a Question

Similar Threads