Medium trust and DPAPI

Topics: Troubleshooting
Feb 21, 2011 at 7:57 PM

Today at work i needed to create a settingspart and i did let my handler register an activatingfilter for the site contenttype. 
In my settingpart i want a administrator to save a webservice username and password combination, but ofcourse i don't want it plain in the database and i though DPAPI would be a good solution.
Well this Sprint Backlog Task had 4 hours and i used them all running against medium trust :) 

Anyway the DataProtection class requires DataProtectionPermission... so medium trust doesn't allow it.

I don't want to set it full trust just to quick and dirty get to my next SBI / SBT..

I think i've a few options:

1) Alter the Orchard.Web web.config and select a custom policy file like writen here: http://msdn.microsoft.com/en-us/library/ff648344.aspx (outdated) or http://msdn.microsoft.com/en-us/library/wyts434y.aspx

2) Use another crypto like AESManaged, RijndaelManaged, etc


A application wide username and password must be stored because it isn't a special user, but just credentials that are needed for calling a webservice

Coordinator
Feb 21, 2011 at 8:50 PM

You should use IEncryptionService instead, which comes within orchard, and lets you encrypt/decrypt sensitive data in the db. It's tenant safe, and uses security best practises. We use it to store the SMTP password in db for the Email module. You can use it directly by calling Encrypt/Decrypt, or look at how it's abstracted in the EmailSettingsPartsRecord.

Feb 21, 2011 at 8:52 PM

Lol something i forgot, to search in orchard for such functionality.
Thanks for the usefull information!