I have a C# app that connects to a SFTP server to transfer log files. The app achieves this by using WinSCP .NET assembly to connect to the server.
How do I securely store the .ppk private key file such that the user is not able to take this file to access the SFTP for themselves?
http://winscp.net/eng/docs/library#csharp
Based on the way the library reference the .ppk, it may not be possible to avoid storing the .ppk file on the local disk during run-time?
Thanks in advance.
There's generally no way to hide any kind of credentials that (any) application possess from the end user. You can only make them hard to be found, but it's questionable whether it is even worth the effort.
What you can (and should do) is to make sure the credentials grants only as little access as necessary.
So in your case, make sure the account, you authenticate with the private key:
Specifically regarding the private key for WinSCP .NET assembly:
Yes, it has to be stored on the disk (i.e. temporarily extracted to a temp folder). Though you can have the private key encrypted with a passphrase. And have the passphrase hard-coded in the application (obfuscated if your want).
See SessionOptions.SshPrivateKeyPassphrase.
See also WinSCP article on Protecting credentials used for automation.