.NET: Best practice to encrypt sensitive data on a client application?
https://stackoverflow.com/questions/5337439
-
26-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I need to securely store a user/password pair on a client .NET application (Outlook addin).
Encryption needs to be reversible, and I'd be glad to avoid storing an encryption key in my code, as it's easy to get through disassembly.
In fact, I'd like to access an EFS-like API to delegate the encryption to Windows.
Any hint on this issue?
Solution
If you have access to .Net 4.0, then I'd recommend the ProtectedData class which encapsulates the windows DPAPI, the recommended way to encrypt data on the client machine in windows. Otherwise you can P/Invoke the DPAPI directly to do it.
Please note that if you are trying to stop the user from reading the password, then this won't really stop them. If they have access to their system then the DPAPI won't stop them. Best bet is to not store the password at all and ask them to login, or if you can connect to something that uses SSPI to do integrated windows authentication then you have the best solution of all.
But it's tough to know what you need without knowing what you are trying to achieve.
