> I'm using the publish capabilities of VS2005 to deploy a smart client
> application. To secure the connection strings I'm encrypting them in
> the app.config file using the DataProtectionConfigurationProvider.
> Everything works fine with one major security hole I need help with.
>
> My client is set up to encrypt the app.config when it loads. So when a
> users installs the smart client application from the publish.htm web
> site VS 2005 sets up, it forces an application load and happily
> encrypts the myapp.exe.config file that's deployed to the local
> machine. The problem is when the smart client application is installed
> it also makes a copy of the myapp.exe.config file in a second
> directory that appears to be used for storing application culture
> which is not encrypted.
>
> For example, the 2 folders might look like this:
>
> c:\Documents and Settings\User\Local
> Settings\Apps\2.0\myap..tion_2d04e939dd17e942_0000.0009_e3eea666c5a336
> 7a
> <---Encrypted
> c:\Documents and Settings\User\Local
> Settings\Apps\2.0\myapp.exe_2d04e939dd17e942_0000.0009_en-us_b62a96f4c
> bfdf23e
> <-- Plain text
> Any suggestions? Please, no friendly advise to simply switch to
> Windows authentication to SQL Server - I don't need to go there.
>
> Thanks.
>