Password protection in configuration
My.NET WinForms application connects to ftp server and downloads the file. This requires a password to connect. The password must be stored in the config file, but it must be encrypted. The only solutions I have found for this include either securing an entire configuration section (which I don't need, like in the appSettings section, where passwords have other data that needs to be changed manually) or using DPAPI (and that doesn't work either because passwords encrypted on my computer cannot be decrypted on others and it is necessary). Are there other methods?
source to share
You can encrypt and decrypt manually using a symmetric cipher inside your application (like AES) and an encrypted password stored in the config file.
The problem, of course, is that you'll have to store a symmetric key that encrypts and decrypts the password inside your application, so anyone with knowledge of cryptography and .net can mirror and reverse engineer your binary quite easily - and get the key and, hence the FTP password.
You can obfuscate your binary to make it more difficult.
Of course, the FTP username and passwords are sent in plain text anyway (unless you are using ftps :), so anyone listening to your application will quickly figure out the username and password.
I guess it comes down to how secure do you want to use that username and password in your application? This decision prevents those with curious eyes from taking possession of him, but not those who are determined.
source to share
You can encrypt specific parts of the .config file - for example, the <connectionstrings>
. This can contain the FTP password (although it is not really a connection string) and you can leave the section <appSettings>
unencrypted.
Update: If you cannot use <connectionstrings>
, you can create your own partition and encrypt it.
Most resources suggest you use the ASP.NET tool aspnet_regiis
. Here's an article that talks about encryption sections for C # Windows applications where using ASP.NET is not an option.
Further update: In the comment, you said
this security is enough - this is a simple application within the company, and there is no need for very high security, you just don't want the password to lie there as plain text in the configuration file
So maybe this solution will work for you.
source to share