[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Saving a setting for all users at runtime which is secure.


My application uses a configuration which is downloaded from an online database during the initial setup. Because of the potential security risks involved, this configuration is encrypted. Each time the application is launched, a new configuration file is downloaded in case of any updates to the configuration. As such, during the initial installation, it is required to enter the encryption password. I don't want users to have to enter this each time they launch the application though, and it can safely be assumed all users on the computer are allowed access to the software (i.e. all users will use the same configuration file)

So - the question is, how can I store the encryption password within my application so that:
1) All users can launch the software and not need to provide the encryption password  (I only want the Administrator to enter this on first launch of the software on that computer)
2) Secure the password from other applications or prying users.

 I would appreciate any code samples in either c# or VB.net as well as any relevant theory on how to do this.

The application is being developed in VS2008.

1 Solution
My first suggestion would be to have a checksum or version number on the configuration file and just check that to see if it has been updated. Then you only need to download it if it has been updated. That may be enough.

If you still want to store the password, then store it encrypted. Then you decrypt the password to decrypt the configuration file. Then the 'password' will be buried in your decrypt algorithm far from the prying eyes of your users.
Rabbit80Author Commented:
I'm not really worried about downloading the configuration on each launch - it is contained within a license for the system. In fact I prefer to do that as it is only 1-2Kb and saves having to store the sensitive config data locally. I am happy that this data is secured suitably and transfers are secure. This is all handled by a licensing SDK we use.

Unfortunately however, without too much poking around, this data could be obtained through the serial number of the software if the validation key of the licensing module were to be compromised. This is hard coded within my application and since .net can be disassembled quite easily, I am encrypting the data stored within the license file.

Which leads me to your second point - how do I actually go about storing the password encrypted so that only my application can access it, no matter which user happens to be logged onto the PC at that time? I don't want to compromise security by hard-coding any encryption passwords within my software, especially as that would mean that these encryption passwords are not unique to the PC. I also don't want to use Application settings as this is even less secure than hard coding. So where and how exactly do I store an encrypted password that is generated on first run so that it is accessible no matter who the logged on user for Windows?

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now