Where to store secret key of the c# application

Question

There are similar questions How to Manage Key in a Symmetric Algorithm Where to store a secret key to use in a SHA-1 hash?

My question is same, But I want to ask it differently

I have C# application. I am encrypting some data in the application. For encryption I am using secret key or password. This same thing is needed for decryption.

Where/how to store this secret key or password in application? its easy to view string password from reflection. I may use some combination to generate password, but some smart guys can guess that with some efforts.

Is there any secured way to store or manage secret password which is used in application to encrypt data?

Answer 1

I doubt there is any guaranteed secure way to store the key. Ultimately your program has to get access to the key, and a cracker could easily work out how that is happening via reverse engineering and redirect that string to wherever they want to.

Your best options are to:

• Obfuscate the key as much as possible. This makes it more difficult to access the "secret key" but does not make it impossible (see above). Rather than storing it as a string, generate it using a function, or use a seed and pass that through a function to get the secret string.

• If your use case allows it, use a public/private key pair. It only works if you want your application to encrypt the data, send it to your servers, and then you want to decrypt it. In this case, you embed the public key into the application (doesn't matter if crackers discover that), and keep the private key to yourself or your server.

Answer 2

If you store the key as an app-setting, and encrypt the app-settings, then I think you're pretty save.

You can use the following code to encrypt sections of the app.config.

using System;
using System.Configuration;

public static class ConfigurationEncryptor {
    [Flags]
    public enum ConfigurationSectionType {
        ConnectionStrings = 1,
        ApplicationSettings = 2
    }

    /// <summary>
    /// Encrypts the given sections in the current configuration.
    /// </summary>
    /// <returns>True is the configuration file was encrypted</returns>
    public static bool Encrypt(ConfigurationSectionType section) {
        bool result = false;

        Configuration config = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None);
        if (config == null)
            throw new Exception("Cannot open the configuration file.");

        if (section.HasFlag(ConfigurationSectionType.ConnectionStrings)) {
            result = result || EncryptSection(config, "connectionStrings");
        }

        if (section.HasFlag(ConfigurationSectionType.ApplicationSettings)) {
            result = result || EncryptSection(config, "appSettings");
        }

        return result;
    }

    /// <summary>
    /// Encrypts the specified section.
    /// </summary>
    /// <param name="config">The config.</param>
    /// <param name="section">The section.</param>
    private static bool EncryptSection(Configuration config, string section) {
        ConfigurationSection currentSection = config.GetSection(section);
        if (currentSection == null)
            throw new Exception("Cannot find " + section + " section in configuration file.");
        if (!currentSection.SectionInformation.IsProtected) {
            currentSection.SectionInformation.ProtectSection("DataProtectionConfigurationProvider");
            config.Save();

            // Refresh configuration
            ConfigurationManager.RefreshSection(section);

            return true;
        }
        return false;
    }
}

And use it like this (eg in your Main() method):

ConfigurationEncryptor.Encrypt(
    ConfigurationEncryptor.ConfigurationSectionType.ApplicationSettings |
    ConfigurationEncryptor.ConfigurationSectionType.ConnectionStrings
);