I am developing a .NET (2.0) WinForms utility that connects to a SQL Server 2005 database. I have found reference material, such as Avoiding Plaintext Passwords for handling the actual encryption of the connection string data. I now need to implement the encryption during the installation process so that an administrator can install the utility on a user's desktop, but not provide the user with the database connection information.
The sample code all seems geared toward performing the encrypting within the primary application. So the app would need to be executed once for the encryption to take place. If the application is installed but not executed, the configuration information would be in plain text in the configuration file.
Can anyone provide information showing how the encryption can be performed from the setup app. Other approaches to the problem are welcome as well (however, due to business requirements, I am not in a position to require Windows authentication for the database connection - I am limited to SQL Server authentication).
Edit: I may have been overly brief with my description. We have already performed a risk assessment and determined that using the built-in .NET framework functionality for encrypting the connection information provides sufficient security for the application.
We understand that a truly determined individual could eventually obtain the connection information, and we readily accept that risk. The purpose of encrypting the connection data is to simply raise the bar of effort and to help "keep honest people honest".
Having already worked out the means of performing the encryption, I am now trying to work out a method of performing the encryption from within the installation process. Any help along those lines woul be appreciated. Thanks!