I have a client app that needs to save a username/password for an SMTP Server. This data will be going into SQL Server 2005, and consumed by my server app. The server app will use the System.Net.Mail namespace to send e-mail messages using the supplied credentials (and from that user's e-mail address). How can I encrypt/decrypt the password easily/securely so that I don't have plain-text passwords flying across the wire? Note that the client and server apps are NOT guaranteed to be on the same computer.
+1
A:
There is whole encryption namespace in .NET - System.Security.Cryptography (example) So you can encrypt/decrypt the data on the client.
Now how to store the key to the cipher. This can be stored in app.config encrypted as described here. Note though, that if the user has admin access to the machine, they can decrypt the keys stored in your app.config.
Rashack
2009-05-04 19:22:08
You seem to be suggesting using the .Net managed interface to DPAPI to protect the key that protects the data. Why not just use DPAPI directly to protect the data (i.e. System.Security.Cryptography.ProtectedData). Just have one key that unlocks the data, not a key that unlocks a key, that finally unlocks the data.
chyne
2009-05-04 20:16:43
I thought the passwords should have been encrypted in the database and shared amongst the clients. I.e. the key to the database data should be shared...
Rashack
2009-05-04 20:51:16