views:

206

answers:

3

Is there a way to encrypt the configuration file of a Windows forms application?

All I can find on google is stuff that is dependant on "aspnet_regiis.exe" but I want to do this for a desktop application?

e.g. http://msdn.microsoft.com/en-us/library/ms998283.aspx

+3  A: 

What are you trying to accomplish?

Remember that the program itself needs to decrypt the file, and, in your case, the EXE file will be on the end-users machines.
Therefore, anyone who has access to the config file will almost definitely have the EXE as well, and there is no way to prevent them from reading it.

If you're storing the end-user's password and want to prevent other people from reading it, you could call File.Encrypt on the path to the file. Note that this won't work in XP Home.

You can also use the ProtectedData class in System.Security.dll to encrypt a byte array such that only the logged on user can decrypt it, then store that byte array in the config file. (This will work in XP home, AFAIK)

SLaks
I am trying to produce an application which will need to have access to a database to pull information from which I don't want the application user to have access to and I don't want them to see the connection string to the database. Which is also why I can't use integrated security...
Rick
You're out of luck; that's not possible. Remember that the user can do anything that the application can do using Reflector and a debugger.
SLaks
Or, another way of putting that is that an application can do only those things that the user can do; *an application acts on behalf of the user*. If the application can do X, then clearly the user must have been able to do X, since the application can only do what the user already can do. If the application can decrypt the config file and connect to the database, then the user can too.
Eric Lippert
@Eric: That line is usually used in reverse, when people want Windows to only allow something to be done by the user, not any application.
SLaks
A: 

In response to your comment:

It is not possible to stop a determined user. If the user tries hard enough, there is nothing you can do to prevent him from doing what an application on his machine is able to do. You can make it exceedingly difficult, but not impossible.

What exactly are you afraid that the user will do?

If you only want him to be able to see some of the data, you can use database permissions or stored procedures, or replace the database with a web service.
If you don't want him to be able to copy the data, there's no 100% solution.

You can obfuscate the assembly, but no obfuscator is completely perfect.
You can add lines like if (Debugger.IsAttached) Environment.FailFast(), but the user can remove them with Reflexil.
You can use a hash of the assembly file as (part of) the encryption key, but the user can replace it with a hard-coded byte array using Reflexil.
If you replace the database with a web service, you could modify the web service to detect suspicious requests, but the user could wait between requests and/or use different machines.
You could return images instead of data, but the user can use OCR.

In short, you can make it very difficult and time-consuming, but you can't make it impossible.

SLaks