WCF Encryption solution for App.config viewable to a client?

Question

I have a desktop application which contains an App.config (program.exe.config at release) with clearly visible elements which define my WCF endpoints and WCF implementation.

Answer 1

You can give protected configuration in .NET a try but it is not very simple. You need to encrypt the config file on the client machine as the protected configuration providers may produce machine specific encypted data. In other words, if you encrypt the configuration section on your machine or the build machine, you may not be able to decrypt it on client machines. You may also export and import encryption keys onto client machine. Therefore, you will have to do something during the installation where you install a key on the client machine and you use that key to encrypt the configuration section. Take a look at Implementing Protected Configuration With Windows Apps. As you can see, this is really not a very easy and clean solution and adds up complexity in terms of deployment.

On the other hand, configuring WCF on the client side programmatically is easy. You can set up the binding and endpoint in the code. You may want to keep the address or url in the config file if you still want to leave some flexibility via configuration to direct clients to a different url without a new build. I think this is the best approach as I don't think that your bindings and endpoints are likely to change once you test and deploy your application. But you know your requirements better :-) I would say don't overengineer or apply a heavy and expensive solution to something that may really not be a realistic concern.