In an application that needs to open a database connection, the username/password details must be sent to the database. What is the most secure way of storing, and using, this data?
The best way to secure the database connection string is to encrypt the value within the configuration file. The application would then load the encrypted value from the config file, decrypt the value, and then use the decrypted value as the connection string to connect to the database.
Connection strings in configuration files are typically stored inside the <connectionStrings> element in the app. config for a Windows application, or the web. config file for an ASP.NET application.
The exact method depends on the environment, but in general, you store the credentials in a location which is only readable by the user that your application is running as. For example on Windows you would store the credentials in the registry in a location protected by an ACL so that only that user could read it. Optionally, you could use the DPAPI to encrypt the data so it was further protected. In Unix, you would store it in a file that was protected with chmod
(and optionally encrypted) so that only the app could read it.
That depends on the database you're using. For Microsoft SQL Server you either encrypt the database connection string in the configuration or you use integrated security, where you connect to the database using the identity of the application you're connecting from.
Excellent question.
It's an issue with which we've grappled - and come up with a variety of approaches.
The first answer is to go with 1800 INFORMATION's suggestion:
I don't think you'll get a better all-round solution than this.
Other methods we've toyed with (and rejected):
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With