[.NET 2.0+] Protected Configuration (Encrypting Config Files)

[jmcilhinney]

The config file is the preferred location for application configuration data these days. .NET apps will use it themselves to store data in various situations. One such situation that many people may have encountered is when you create a Data Source the wizard offers to store the connection string in the config file. This is so that you can simply edit the config file when the app is installed to customise the connection for that system. One issue here is, what if the connection string contains a password? The config file is just plain text so its visible to the world. The answer is encryption and it's already built into the .NET configuration mechanism.

Try running the attached project and then opening the config file from the bin\Debug folder in VS. Notice that there's a <connectionStrings> section and it contains an item named PrimaryConnectionString. Now, select Tools -> Options from the menu and see that the components of that connection string are displayed as individual fields. Try editing those fields and then clicking OK. You don't actually have to have SQL Server installed to do this but if you want to use the drop-down lists to select a server and database you will need it. Go back to VS and you should be prompted to reload the config file. Do so and note that the values you entered now appear in the stored connection string.

Next, select Tools -> Encrypt Connection Strings from the menu. Go back to VS and reload the config file again and observe the changes. Note that your actual connection string is nowhere to be seen. Now, if you select Tools -> Options again at this point an exception will be thrown. I'm not sure exactly why and i'm not sure how to fix it, but that isn't really a problem anyway. This error only occurs when you start the app with the <connectionStrings> section unencrypted, then encrypt it, then try to read a connection string via My.Settings. This should never occur so the error should never appear.

So, close the app and then run it again. Select Tools -> Options from the menu and observe that the components of the connection string are displayed again, even though they cannot be seen in the config file. There was no extra code needed to accomplish this. The user code is exactly the same to read the connection string whether the config file is encrypted or not. the decryption is handled on-the-fly by the Framework.

Now, edit the connection properties again and click OK. Go back to VS and reload the config file again and observe that the long strings of gibberish have changed. Those strings contain your data in encrypted format. Now, select Tools -> Decrypt Connection Strings from the menu and go back to VS and reload the config file again. Note that your connection string is now visible again and the changes you made are reflected. Go back to the app and select Tools -> Options again and observer that, using the same code again, the connection properties have been read from the unencrypted config file. Tada!

N.B. - I've removed the original attachment, which was a VS 2008 project, and attached a VS 2005 version in its place.

[jmcilhinney]

To continue, that all demonstrates encrypting the <connectionStrings> section. You can encrypt other sections too. In the code for the OptionsDialogue in the project find the Load event handler, which looks like this:

vb.net Code:

Private Sub OptionsDialogue_Load(ByVal sender As Object, _
                                 ByVal e As EventArgs) Handles MyBase.Load
    Me.LoadConnectionString()
    'Me.LoadAppSettings()
End Sub 

and change it to this:

vb.net Code:

Private Sub OptionsDialogue_Load(ByVal sender As Object, _
                                 ByVal e As EventArgs) Handles MyBase.Load
    'Me.LoadConnectionString()
    Me.LoadAppSettings()
End Sub 

Likewise find the okButton.Click event handler and change this part:

vb.net Code:

configSaved = Me.SaveConnectionString
'configSaved = Me.SaveAppSettings 
 

to this:

vb.net Code:

'configSaved = Me.SaveConnectionString
configSaved = Me.SaveAppSettings 

You can now perform the same steps as before but note that the connection properties are being retrieved from, and stored to, individual elements within the <appSettings> section. As such, use the Encrypt App Settings and Decrypt App Settings items from the Tools menu to encrypt and decrypt the config file.

Note that in this case you can still read the config file successfully even if encryption was applied after opening the app. Like I said though, this situation should never arise in the real world.

So, speaking of the real world, how would you use this? Well, normally if you want to encrypt the config file then you'd want it encrypted all the time. As such you would use a Setup project to install your app and then you'd include the encryption code in a Custom Action, so the config file is encrypted when the app's installed. because you don't need to make any code changes to read and write an encrypted config file, you can read and write the unencrypted config file while you're developing and then read and write the encrypted config file when the app's deployed without having to care which is which.

Note that what I've shown is for WinForms apps. ASP.NET apps are very similar except that you don't perform the encryption and decryption in code. You encrypt a web.config file using the aspnet_regiis utility at the commandline. That's basically because web apps get installed once only, and it's not going to be the end user who installs it.

How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPI
How To: Encrypt Configuration Sections in ASP.NET 2.0 Using RSA

Please play with the code and feel free to ask questions BUT please make sure you have read the code THOROUGHLY first.

[jlbantang]

great! i always hope the best from jm

[jlbantang]

hcan you please provide, is there available version for 2005? im receiving this error "the selected file is a solution file, but was created by newer version of this application or cannot be opened."

tnx

[jmcilhinney]

Quote:

Originally Posted by jlbantang

hcan you please provide, is there available version for 2005? im receiving this error "the selected file is a solution file, but was created by newer version of this application or cannot be opened."

tnx

Go back and read the edit I added to the end of the first post.

[jlbantang]

thnx.

i tried to work around by chance to remove the blue squirky lines particular in the Dim config As System.Configuration.Configuration

what i did is import configuration related namespace to make sure i wont miss a thing

vb Code:

Imports System.Configuration
Imports System.Configuration.ApplicationScopedSettingAttribute
Imports System.Configuration.ApplicationSettingsBase
Imports System.Configuration.Assemblies
Imports System.Configuration.DefaultSettingValueAttribute
Imports System.Configuration.NoSettingsVersionUpgradeAttribute
Imports System.Configuration.SettingAttribute
Imports System.Configuration.SettingsAttributeDictionary
Imports System.Configuration.SettingsDescriptionAttribute
Imports System.Configuration.SettingsGroupDescriptionAttribute
Imports System.Configuration.SettingsGroupNameAttribute
Imports System.Configuration.SettingsLoadedEventArgs
Imports System.Configuration.SettingsManageabilityAttribute
Imports System.Configuration.SettingsPropertyWrongTypeException
Imports System.Configuration.SettingsProviderAttribute
Imports System.Configuration.SettingsSerializeAsAttribute
Imports System.Configuration.SpecialSettingAttribute
Imports System.Configuration.UserScopedSettingAttribute 

but still i received the same error.

[jmcilhinney]

There's no use importing the namespace a class is a member of if you haven't referenced the assembly it's declared in.

[jlbantang]

everything's clear except this line

vb Code:

Private Sub LoadConnectionString()
        'Load the current connection string.
        Dim builder As New SqlConnectionStringBuilder(My.Settings.PrimaryConnectionString)
...
end sub 

i dont understand the line and its produce an error. i change the argument to

Code:

        Dim builder As New SqlConnectionStringBuilder("Data Source=ConnectionStringsServer;Initial Catalog=ConnectionStringsDatabase;User ID=ConnectionStringsUserName;Password=ConnectionStringsPassword")

the program run but i was not able to encrypt/decrypt app.config

[jmcilhinney]

It's not clear what you mean when you say it's not clear. Do you mean you don't understand it or that it's not working?

[jlbantang]

hi jm. the prog runs but the app.config were not encrypted/decrypted. your code which i replace might have something to do w/ this.

your code:

vb Code:

Dim builder As New SqlConnectionStringBuilder(My.Settings.PrimaryConnectionString) 

what was this line for anyway?

replaced with this:

vb Code:

Dim builder As New SqlConnectionStringBuilder("Data Source=ConnectionStringsServer;Initial Catalog=ConnectionStringsDatabase;User ID=ConnectionStringsUserName;Password=ConnectionStringsPassword") 

[jmcilhinney]

Quote:

Originally Posted by jlbantang

hi jm. the prog runs but the app.config were not encrypted/decrypted. your code which i replace might have something to do w/ this.

your code:

vb Code:

Dim builder As New SqlConnectionStringBuilder(My.Settings.PrimaryConnectionString) 

what was this line for anyway?

replaced with this:

vb Code:

Dim builder As New SqlConnectionStringBuilder("Data Source=ConnectionStringsServer;Initial Catalog=ConnectionStringsDatabase;User ID=ConnectionStringsUserName;Password=ConnectionStringsPassword") 

That line is to load the stored connection string via My.Settings. Likely you have to actually add the connection string to the settings first. Just impoting the config file is probably not enough. Go to the Settings tab of your project properties and check if there's a connection string listed there. If there isn't then you'll need to add one, so you'll need to delete the existing one from the config file first.

[MechEng]

Quote:

N.B. - This solution was created in VS 2008, so you will not be able to open it in VS 2005, even though it targets .NET 2.0 and all the code will work. If you're using VS 2005 then you have two choices:

1. Edit the SLN and VBPROJ files so they become compatible with VS 2005. Do NOT try this if you don't absolutely know what you're doing.
2. Create a new VS 2005 solution and use Add Existing Item to import the items from my solution. I think you should be able to import everything but, if not, only a small amount of hand-editing will be required.

Thanks jmc. This is seams to be a well done post, but I was wondering if anyone actually been able successfully import the code into VB2005? I have been working on this for hours and I obviously do not have enough VB-brain power to correct all the import issues.

[jmcilhinney]

I've removed the original attachment and attached a VS 2005 version of the project in its place.

[MechEng]

Thanks jmc. This works great… and is an excellent example of encrypt/decrypt of and access to the config file.

Thanks very much.

[Xancholy]

Quote:

Originally Posted by jmcilhinney

Go to the Settings tab of your project properties and check if there's a connection string listed there.

Thanks for this terrific info. I don't understand a few things and request clarification.

After one adds the connection string to the Settings tab of your project properties and the encryption takes place though your solution...

If I want to use your data access examples to pull data to a form...

How would I now open & close connections ?

[jmcilhinney]

Quote:

Originally Posted by Xancholy

Thanks for this terrific info. I don't understand a few things and request clarification.

After one adds the connection string to the Settings tab of your project properties and the encryption takes place though your solution...

If I want to use your data access examples to pull data to a form...

How would I now open & close connections ?

vb.net Code:

Dim connection As New SqlConnection(My.Settings.MyConnectionString) 

That's it, whether the config file is encrypted or not. The decryption is handled seamlessly.

[Xancholy]

That's beautiful - thanks !

[thermo_ll]

can you post also the vb2008 version of this code ! thanks

[jmcilhinney]

Quote:

Originally Posted by thermo_ll

can you post also the vb2008 version of this code ! thanks

The code is exactly the same. I only attached a VS 2005 project because VS 2005 users couldn't open a VS 2008 project. The converse is not the case so you can simply open the attached project as you normally would and say yes when VS offers to upgrade it to VS 2008 format.

[illskills]

many thanks im going to bookmark this and read it in the morning ;0)