The wwAppConfiguration class supports encrypting of one or more keys. This feature is often required if you have sensitive applications that store things like login information or connectionstrings in configuration files. To aid in this task the data written out to disk for encrypted fields is always encrypted.

To implement this functionality you can implement a custom constructor on the class:

public WebStoreConfig() 
{
   this.SetEnryption("ConnectionString,MailPassword,MerchantPassword","WebStorePassword");
   this.ReadKeysFromConfig();
}

Note the call back to the base(false) to force the base constructor to be called. The false value instructs the base class not to call the ReadKeysFromConfig() method automatically, so we have a chance to call the SetEncryption() method.

Alternately you can use those lines in code as well:

WebStoreConfig Config = new WebStoreConfig();
Config.SetEnryption("ConnectionString,MailPassword,MerchantPassword","WebStorePassword");
Config.ReadKeysFromConfig();

The first parameter of SetEncryption is a comma-delimited list of fields in the current class that you want to encrypt. The second parameter is a 'key' that is used in the encryption routine which uses DES encryption to create a symetrical encrypted value.

Non .Config File Persistance stores

If you're storing your configuration settings in a String, File or SQL Server field, make sure that you always set up your encryption options in the default constructor. This is to ensure that the encryption settings are applied when the static methods like ReadKeysFromFile create a new object reference for you. These methods check whether you have configure fields to encrypt and decrypt any encrypted values. But this will only work if the Encryption settings are made in the constructor. For example if you plan on retrieving from a file define the constructor:

public WebStoreConfig() 
{
   this.SetEncryption("ConnectionString,MailPassword,MerchantPassword","WebStorePassword");
}

Then call

How Secure is this?

Because the encryption relies on a key word to provide encryption it is possible to hack the code and retrieve this password. Encryption occurs when keys are written out to the .Config and Decryption occurs when keys are written back to the object. This means that the in-memory object has full unencrypted access to the data in the Config file.

This solution is a prevention mechanism for casual discovery by just browsing the config file. Unless the architecture of the application is known discovering the key or using the class to read the data is not very likely.