I have a windows forms applciation that stores encrypted files to disk. At runtime, it decrypts those files and passes the resulting memorystreams to Datasets. I am using symmetric encryption with AESManaged.
There are custom functions to generate Key and IV byte arrays from a string. However I am currently hard coding the secure string that I use to generate Key and Iv, which I think defeats the purpose of encryption. I understand that the best way would be to prompt the user for a password and use that string. Is there any other way around this where I don’t have to prompt the user for a password? Also I cannot use DPAPI because the encrypted data file is expected to be shared between users and computers.
It is not possible to have your cake and eat it too 🙂 You cannot store decryption key and use it, and not have it recoverable by someone. Only thing you could do is not make it obvious where it is by obfuscating your code, preencrypting your key and decrypting it dynamically, maybe through several rounds of decryption scattered around several classes. Unlike rest of programming disciplines, this is where messy code is a good thing.