Encrypting password for C# configuration file

Question

I'm trying to figure out the best way to encrypt a password that is in a configuration file. We are not allowed to hard code the passwords.

This a requirement that I have to meet.

I'm using DOTNET core and this needs to work on windows 10, windows server and OSX.

Does anyone have any good ways of meeting this requirement?

Thank you

Answer 1

First, read up on RSA Key Containers. You are going to have your operations group create one for each of your environments. They will export them and keep track of the exports for you. They'll also ACL them so that devs have access to them in lower environments, but only ops folks have access in higher environments. They also need to add an ACL so that the process identities on your servers have access.

Those Key Containers will be imported on to the servers, and on any client machines that will be doing any encryption work.

Then create a C# class that has the secret name, perhaps an encryption timestamp, and two strings, one for the clear text secret, and one for the encrypted version. Make everything JSON serializable. Mark the clear text member so that it doesn't serialize.

Create a small client app (say, with WinForms) that can read in a collection of secrets objects, decrypting any encrypted text using a key in the Key Container. The app will allow users to paste in a secret (perhaps one copied from KeePass). When the file is saved, the clear text/pasted in secret is encrypted and serialized out. The clear text version is thrown away.

At that point, you have a JSON text file that contains one or more encrypted secrets, but those secrets can only be decrypted by processes running with a token that has access to the RSA Key Container. So, you can put the file in source control and rely on your build/deploy to push the file(s) out to your servers.

Sorry for the lack of code, but I really can't copy/paste code I wrote for my employer. There should be enough here to get you started.