I’ve got an sqlite/sqlcipher database with a password, used by a command line c# application on windows and we store/manage the password for the database with CredentialManager using WriteCredential() and ReadCredentials() and this seems secure enough for our purposes.
But now we need to access the database from a web application.
My question is what is the best practice for web applications to safely retrieve the password to unlock the sqlite database? In our test environment we’re just using web.config, but that’s not going to be appropriate on the production server.
I haven’t tried it yet, but I guess I can still use CredentialManager and assign a specific user for the pool processes and manually write the sqlite database password to the CredentialStore for that user using powershell or something.
Is there are recommendation of the ‘best practice’ for managing sqlite/sqlcipher passwords in web applications? Preferably for c#/windows specifically, but even general guidelines for linux/perl would be interesting to read.
To be clear, I’m talking about the password to open the sqlite/sqlcipher database.