Saving a setting for all users at runtime which is secure.

Posted on 2012-08-17
Last Modified: 2014-04-14

My application uses a configuration which is downloaded from an online database during the initial setup. Because of the potential security risks involved, this configuration is encrypted. Each time the application is launched, a new configuration file is downloaded in case of any updates to the configuration. As such, during the initial installation, it is required to enter the encryption password. I don't want users to have to enter this each time they launch the application though, and it can safely be assumed all users on the computer are allowed access to the software (i.e. all users will use the same configuration file)

So - the question is, how can I store the encryption password within my application so that:
1) All users can launch the software and not need to provide the encryption password  (I only want the Administrator to enter this on first launch of the software on that computer)
2) Secure the password from other applications or prying users.

 I would appreciate any code samples in either c# or as well as any relevant theory on how to do this.

The application is being developed in VS2008.

Question by:Rabbit80
    LVL 37

    Accepted Solution

    My first suggestion would be to have a checksum or version number on the configuration file and just check that to see if it has been updated. Then you only need to download it if it has been updated. That may be enough.

    If you still want to store the password, then store it encrypted. Then you decrypt the password to decrypt the configuration file. Then the 'password' will be buried in your decrypt algorithm far from the prying eyes of your users.
    LVL 1

    Author Comment

    I'm not really worried about downloading the configuration on each launch - it is contained within a license for the system. In fact I prefer to do that as it is only 1-2Kb and saves having to store the sensitive config data locally. I am happy that this data is secured suitably and transfers are secure. This is all handled by a licensing SDK we use.

    Unfortunately however, without too much poking around, this data could be obtained through the serial number of the software if the validation key of the licensing module were to be compromised. This is hard coded within my application and since .net can be disassembled quite easily, I am encrypting the data stored within the license file.

    Which leads me to your second point - how do I actually go about storing the password encrypted so that only my application can access it, no matter which user happens to be logged onto the PC at that time? I don't want to compromise security by hard-coding any encryption passwords within my software, especially as that would mean that these encryption passwords are not unique to the PC. I also don't want to use Application settings as this is even less secure than hard coding. So where and how exactly do I store an encrypted password that is generated on first run so that it is accessible no matter who the logged on user for Windows?

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Introduction Many of the most common information processing tasks require sorting data sets.  For example, you may want to find the largest or smallest value in a collection.  Or you may want to order the data set in numeric or alphabetical order. …
    Introduction A frequently used term in Object-Oriented design is "SOLID" which is a mnemonic acronym that covers five principles of OO design.  These principles do not stand alone; there is interplay among them.  And they are not laws, merely princ…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now