Where to hide the encryption key

G

Guest

Hi all,
I have a configuration file that is storing sensative data, like db
passwords etc. I want to encrypt the file so that people can not see the
contents. What are the standard practices for storing the encryption key. I
definitely don't want to hard code it in my code otherwise someone looking at
the IL can easily see the key.

Where should this key be stored and how can an app access it without
someone else being able to do the same?

Thanks
Mark.
 
G

Guest

Hi Mark,

Normally one does not store a password in a file, but rather the (salted)
hash of this password. In the main app, when one enters the password, the
hash of this password can be compared with the hash of the password you
calculated and stored in some file. If the hashes are the same, the password
is valid. use SHA256 or better to create the hash.

Hope this helps,

Daniel
 
G

Guest

Hi Daniel,
thanks for your reply, I definitiely agree with you, however if I need to
store a username and password in my configuration file for a connection
string to the database then I cannot modify that in any way otherwise the
dataabse will not know these values. I need someway to encrypt the
configuration file, but be able to decrypt it to get the connection details
but I am not sure where to store the key which will be used to decrypt the
config file. Do I have to encrypt the encryption key :) and so on...

Thanks
Mark.
 
V

Vitaly Zayko

In my point of view:
1. Put the password's hash into the file;
2. Encrypt rest of contents using the password.
3. When the App starts, first of all compare stored hash and hash of the
entered password, if they are identical - decrypt rest of contents.
Vit
 
A

Adam Clauss

Vitaly Zayko said:
In my point of view:
1. Put the password's hash into the file;
2. Encrypt rest of contents using the password.
3. When the App starts, first of all compare stored hash and hash of the
entered password, if they are identical - decrypt rest of contents.
Vit
Click to expand...

I think his point here is that there is no "entered" password - there is
only what exists in the config file. AKA - he wants his program to know
what the username/password for the database is, but noone else should be
able to figure it out from the config file. I understand that right? (I
don't know the proper answer to the question - just trying to clarify).
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Symmetric encryption keys 7
C# Rijndael encryption. When decrypting I get junk data in the firstblock 4
Same encryption codes cannot decrypt password from .NET 1.0 to 2.0 4
Connection String in .config file - Security Concerns 14
Getting password for encryption without storing it in the memory. 5
??? Which Key Encrypts .Config Files ??? 9
Connection Strings app.config and encrypting 1
Security - Best Encryption Mechanism 2

Top