Secure ClickOnce Applications

Asked By Francisco Pérez

20-Nov-09 04:09 PM

Earn up to 0 extra points for answering this tough question.

I have various applications that I publish with ClickOnce using .NET Framework 2.0. I have an encrypted app.settings file, although when I first install this application the original folder created in C:\Documents and Settings\user\Local Settings\Apps\2.0\etc... is not encrypted until execution for the first time, so there is a app.settings file that is not encrypted upon installation.

How can I encrypt my app.settings in this original installation location.

re

Web Star replied to Francisco Pérez

20-Nov-09 10:16 PM

Reply

try this

Encrypting and Decrypting Configuration Sections (ASP.NET) on MSDN
Encrypting Web.Config Values in ASP.NET 2.0 on ScottGu's blog
Encrypting Custom Configuration Sections on K. Scott Allen's blog

EDIT:
If you can't use asp utility, you can encrypt config file using SectionInformation.ProtectSection method.

Sample on codeproject:

Encryption of Connection Strings inside the Web.config in ASP.Net 2.0

check this

Jack jack replied to Francisco Pérez

21-Nov-09 03:54 AM

Reply

try this >>

1.) http://www.justskins.com/forums/asp-net-2-0-encrypted-connection-string-145342.html

2.) http://aspalliance.com/820_Web_Application_Settings_in_ASPNET_20

3.) http://stackoverflow.com/questions/54200/encrypting-appsettings-in-web-config

OK, This is how i would do it.

[)ia6l0 iii replied to Francisco Pérez

22-Nov-09 05:52 AM

Reply

Write a separate console application or an application, that runs as a post-build event to your current project to do the encryption of the configuration files for you.

In the separate console application or an application, i would either use plain XML Parse and Replace or use the System.Configuration.SectionInformation.ProtectSection method to encrypt a section.

This would be the code in the console application:

Class Program
   Private Shared Sub Main(ByVal args As String())
   Dim config As Configuration = ConfigurationManager.OpenExeConfiguration(ConfigurationUserLevel.None)
   Dim section As ConfigurationSection = config.GetSection("settings1")
   'protect if not protected.
   If Not section.SectionInformation.IsProtected Then
   section.SectionInformation.ProtectSection("sectionname")
   End If
   'set the force save.
   section.SectionInformation.ForceSave = True
   'do a save
   config.Save(ConfigurationSaveMode.Modified)
   End Sub
End Class

This would build , protect , and save the config values so that you don't have to alter your clickonce in any way. all you have to do is , configure this console application to run as a post-build event. That would suffice.

Here is the MSDN article that fills the gap in my explanation.

Hope this helps.