Securing Sensitive Data in C#: Encrypting and Storing in the Registry
When it comes to sensitive data, privacy becomes even more important. There are various methods to restrict access to sensitive data.
Restricting access to sensitive data in cloud environments can be managed more easily with systems such as secure key vaults, cloud key management services (KMS) etc. However, in on-premises environments, it may be necessary to develop customized solutions according to system requirements.
In this article, I will explain how I developed a solution to store sensitive data encrypted in the registry within an on-premises system.
At the institution where I provide consultancy services, there was a request to store the database connection information encrypted in the registry on the developer’s computer.
The aim was to prevent access to the database connection information by IT personnel other than software developers and database administrators. For example, even if system administrators or security personnel have access to the server, their access to the database information would be blocked.
I wanted to share a small application I developed for this solution. If you have a similar need, you can benefit from the source code.
I developed the application using .NET Core 6.0.
The application consists of three projects: a class project containing security classes and constants, a console application for writing data to the windows registry, and a WebAPI project for reading data from the windows registry.
The folder structure of the application is as follows:
I used the “Microsoft.Win32.Registry version 5.0.0” NuGet package to manipulate windows registry.
Now let’s examine the projects in more detail.
I tried to create the application as simple and flexible as possible.
I placed the shared classes in the RegistryApp.BLL project. The project contains:
- The Constants folder, which includes path information for the Windows registry editor and the encryption key for encryption. All the constants used in the application are located in this class. Variables in this class should be updated to customize the Windows registry editor address, security key, or data key to be created.
- The Managers folder, which contains classes for writing and reading data to and from the Windows registry editor.
- The Security folder, which contains classes with functions for encrypting data.
The RegistryApp.Write project is a simple console application that allows us to write data to the Windows registry editor. It takes the data to be added from the user, encrypts it, and returns the result of the writing process to the user.
Let’s write the data “Test Database Connection” for testing purposes. The screenshot of the project is as follows:
After the “Test Database Connection” text is encrypted, it is added to the windows registry. The created record looks like the following:
In some corporate structures, security policies that prevent access to the registry editor may be implemented on computers for security reasons. If you encounter a write error due to these restrictions, first make sure that you have access to the Windows registry editor with the user account you logged in with. If you have the access permission, I would like to remind you that Visual Studio should be opened with the “Run as administrator” option.
I developed the RegistryApp.Read project as a WebAPI project for reading data. The project only has a Controller class that contains the method for reading.
When we run the application by selecting the RegistryApp.Read project as the startup project, we are greeted with the Swagger interface.
When we call the method, it reads the data from the Windows registry editor, decrypts it, and returns the entered data to the user.
You can access the source code of the project on my GitHub account. If you can give the repository a star and share the article, you will support me in reaching more people.
Where can you use this solution?
The “Connection String” information containing database connection information of applications can be stored in the registry. This way, access to the database connection information will be restricted for administrators and users with server access.
Key and expiration date information for license checks of various applications can be stored in the registry. This way, application access can be protected with a license key.
If you use it for different solutions you can share it with us in the comments.
If you found the content useful, I would appreciate it if you could support it with applause (you can also contribute with more than one applause by holding down the clap button for a long time).
Thanks for reading…
