How to store encryption key secure in C#

Question

I have the following question: In my ASP.NET MVC application I want to store some key/value settings in my database. Some of this key/value settings contain passwords, that I want to encrypt to secure them.

I can´t hash the passwords because I need some passwords to autheticate on a remote SMTP server.

On MSDN I found an article about securing configuration settings with "Protected Configuration Providers", but I don´t want to store that settings in my web.config file.

I considered to use the DpapiProtectedConfigurationProvider that uses some machine and user specific properties as encryption keys, but this provider is built to work only with XML configuration nodes.

An other MSDN article is about a ProtectedData Class, but is this method really secure?

So, what is the best method to store passwords in an C# application?

I also read the following other questions, but I found no solution: Question 1, Question 2, Question 3

greetings

Answer 1

One possibility is to query the database for the encryption key (which is kept in a separate table), and use that to encrypt/decrypt the key values you need, which you retrieve in encrypted form from the database using a separate query.

This means, of course, that you will be storing both the encrypted key values and the encryption key in the database, and that you are not storing the encryption key anywhere in your app code. You should also use a proc call to retrieve the encryption key, instead of allowing direct access to the table in which it's stored.

This technique assumes that you are using some other method of establishing a database connection, i.e., that the database connection password itself is secured in a different manner within the app.

As @Blam stated, you have to store the encryption key somewhere, either in the app, or in a file accessible to the app, or in the database.