An intranet web app for decrypting values : a bad idea, and if so, why?


We have to protect a database connection string for a .NET desktop application that has an application-level database user. One option is to encrypt a section of the app.config using asp_regiis. But then every user of the application needs to have the key installed on their PC.

If an intranet IIS server has SSL and Microsoft Windows Authentication was in place, would an ASP.NET web-app that accepted an encrypted value and returned a plain text be a viable alternative to installing the keys on every user’s machine?

With the web app, no user would be able to export the key from their local container, and so the web app approach seems the more secure of the two.