C# connectionString encryption questions

Question

I am learning how to encrypt the ConnectionString for our C# (3.5) Application. I read the .Net Framwork Developer Guide (http://msdn.microsoft.com/en-us/library/89211k9b(VS

Answer 1

1) Yes, if you use this approach, you would encrypt it per machine it was installed on. If you would have different config per machine anyway, this would be the normal approach from my exp. This is not a good approach if you're trying to send a "secret" connection string.

2) If you haven't seen it, this article I think will answer the question about the RSA provider... http://msdn.microsoft.com/en-us/library/ff650304.aspx

If this is an app used by clients that you need to provide connection info to then:

WORD OF CAUTION: Don't think that by encrypting the config, you are truly protecting yourself from the user running the application. At some point, that string needs to be decrypted by the app to be used to connect to the server. That application may be able to be leveraged to provide that connection to other apps. In short, you shouldn't rely on this as your only strategy to keep users out of the DB. Good security is always a multi pronged effort.