Encode a string and save value to file in Inno Setup

1
votes

I have a Pascal Script code in Inno Setup script to get the DBURI from user inputs, and save it to file, so the application can read this string and connect to database.

DBURI :=
  'Databaseserver//'+DatabaseUserName+':'+DatabasePassword+'@'+
  Host+':'+Port+'/'+DatabaseName+'"';

SaveStringToFile(dbconf, DBURI, True);

It works perfectly. But the problem the string not encrypted, and anyone who browses to the file can get the database password. I want to use an encryption method with a predefined key within Pascal Script code, and write the output value (encrypted string) to the file. So, I can include the encryption method and key in my application code to decrypt value and start using DBURI string.

So, my question how to use an encryption method (anyone) with a predefined key within Pascal Script code? I found many articles in Pascal documentations but I didn't know how to use?

1
encryptioninno-setuppascalscript

1 Answers

1
votes

Your question is rather broad, so I will answer it broadly too.

Some facts:

  • In general, there's no really safe way to encrypt data (the DB password), so that they can be used automatically. Even if you use an encryption key. It's not that difficult to retrieve the key from the binaries. Particularly Inno Setup code is easy to disassemble. See Disassembling strings from Inno Setup [Code]. Though as you seem to be willing to accept even plain key-less Base64 encoding, your security needs are probably not that high.

  • There's no support for encryption in Inno Setup (or its Pascal Script code). You have to use external functions or applications. Though some simple encoding (not encryption), like Base64, can be implemented in Pascal Script code.

What you can do:

  • If you will be decrypting the data using the same local account as encrypting them (the same user installs and uses the software), use Windows CryptoAPI. This is really secure, as it uses a key that associated with the local account and protected by accounts password. But that limits the use, as mentioned.

    See Simple AES encryption using WinAPI.
    I didn't try to implement this in Pascal Script, but I believe it should be possible.

    I believe you can use CryptoAPI even with a known key (shared between the installer and the application), but I do not know details.

  • Another way to encrypt data with a known key is by invoking an external application for that. You can use PowerShell and .NET classes for implementing encryption. Or you can add a hidden feature to your own application, that you will call from Inno Setup to encrypt and store the data.

  • If you are happy with Base64 (or maybe hex) encoding, see:
    Encode string to Base64 in Inno Setup (Unicode Version of Inno Setup)