in reply to Re: Where should I have configuration information in a file or database
in thread Where should I have configuration information in a file or database
sections in the config file to store sensitive content that must be encrypted ie the connection string and must be decrypted by the application.
This may give you a warm fuzzy feeling that you have used encryption and so everything simply just must be safe.
But this is just a little annoyance for anyone trying to get the data: The application must contain the decryption code, and it must contain the decryption key. Both can be extracted, and with the addition of a few simple print statements, you can see the "protected" information in plain text. If the decryption code is burried in the runtime environment, things become even easier for an attacker: Just find the key, call the runtime environment's decryption routine in your own ten line script, and print what it returns when processing the "protected" information.
Oh, and I almost forgot: How does it help to encrypt information in a config file that are afterwards transmitted in clear through the network, e.g. when connecting to a MySQL or FTP server?
Alexander
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)