I have a ConnectionString in my App.Config File which is encrypted by DataProtectionConfigurationProvider provider and Everything works fine In Solution A.
Then i build another Solution (Solution B) and add that App.Config File into it's project. and try to decrypt that config file, and surprisingly Everything works fine too! while i expect the second solution could not decrypt the ConnectionString.
Assume i deployed this project and in installation time, ask for SqlConnection Informations, Like USERID and PASSWORD then decrypt them and put it into App.Config File. everything is ok yet! But what would happen if someone else try to add generated App.Config File (in the end user machine) and decrypt my ConnectionString?
We try to encrypt such data so that no one else (except our program) can touch data.
Protecting the data in your app config, if you really want to be sure, means employing encryption with a key specific to your app, and storing the result in your config setting as a BASE64 encoded string.
Before writing the data, you'll have to use a text encoding to convert the text to an array of bytes. You then encrypt that array, then turn the resulting array into a base64 encoded string which you then store in your config.
Before inspecting the data, you'll have to decode the base64 encoding, decrypt the resulting information (a byte array), and then use the same text encoding to convert from the array of bytes to actual text.
If you really want to be a swine, you use an assymetric algorithm - encode with the private key, decode with the public key. That means that not only is the config data hard to read, it's IMPOSSIBLE to modify (because you don't give out the private key with your app - only the public one).