views:

129

answers:

1

When using a protected configuration provider to encrypt configuration information in a app config file, what encryption is used?

What alogorithm and key is used to encrypt and decrypt the information?

Update

Ok, i've read the links provided by Sani Huttunen and read these here and here.

So the RSAProtectedConfigurationProvider uses TripleDes and RSA encryption and
DpapiProtectedConfigurationProvider uses TripleDES.

RsaProtectedConfigurationProvider uses the machine account or the user account and DpapiProtectedConfigurationProvider uses the user's logon password as the key for encryption and decryption.

I see this would work fine for a asp.net web app. But what about windows applications?

I was lead to believe that all my connection strings should be saved in the app.config file and then encrypted using a protected configuration provider.

But if you deploy your winforms app to another machine it would not be able to decrypt the connectionstring becuse the key was based on the developer's logon password and saved in a keyfile not deployed with the application. or if the keyfile is deployed with the application then anyone can decrypt the app.config file.

Is this correct? So what's the point in using this method?

What's the method for protecting information in an app.config file for deployed windows applications?

A: 

You may want to read all about it here.

There are two providers in the .NET framework:
DpapiProtectedConfigurationProvider
uses the Windows Data Protection API (DPAPI) to encrypt and decrypt data.

RsaProtectedConfigurationProvider
uses the RSA encryption algorithm to encrypt and decrypt data.

Sani Huttunen