In most cases a file is easier to handle, faster to access and easier to edit by hand

I back the drive up one a week; the back up is encrypted and and two copies are stashed, one on my work lap-top and the other on and old server machine at home. I keep the four previous generations of the backup, just in case. (In addition to the DB connection parameters for three moderately and one critically important Work databases, my Work Diary and some digital photographs that can't be replaced, children do grow up after all, are stored on the drive.)

In the past five years I have had to invoke the recovery procedure just once, but I do a recovery test once a quarter to make sure that I can. I am probably being a little be over-board on the paranoia side here, but....

In most of the case, the file is simplest way to store the configuration information. We can easily handle like changing configuration information. We don't want to enter into database regularly.

If you are storing the information in database, you have to give database user name and password in the function to connect database. It may not secure if your are giving program to some other person. But if you are storing in file, it's not needed. But at the same time, the file don't have permissions for other users.

I prefer files for application/admin configuration and DB for any user controlled configuration (most of the time). Files are safer for an application because you aren't relying on (at least) two services (your app and the DB) to run your app. Configuring from files allows the application to run "normally" (in reduced service mode or something) even when the DB is unavailable. Of course files can become unwieldy so the DB is (like mentioned already) better for many other things (that will grow, require constant update, fit into a standard API, etc).

You should tell us more about your problem if you want us to help.

sections in the config file to store sensitive content that must be encrypted ie the connection string and must be decrypted by the application.

This may give you a warm fuzzy feeling that you have used encryption and so everything simply just must be safe.

But this is just a little annoyance for anyone trying to get the data: The application must contain the decryption code, and it must contain the decryption key. Both can be extracted, and with the addition of a few simple print statements, you can see the "protected" information in plain text. If the decryption code is burried in the runtime environment, things become even easier for an attacker: Just find the key, call the runtime environment's decryption routine in your own ten line script, and print what it returns when processing the "protected" information.

Oh, and I almost forgot: How does it help to encrypt information in a config file that are afterwards transmitted in clear through the network, e.g. when connecting to a MySQL or FTP server?

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

Ok,I have to elaborate more :
You create a key container. There are machine-level and user-level containers
Specify a protected configuration provider (RsaProtectedConfigurationProvider or DataProtectionConfigurationProvider) which essentially is a class that you can use from your code.

Pass the provider your key container (in case of RSA,in case of DPAPI is simpler) and when saving the configuration file the <protectedData> sections will be encrypted.
The decryption key is not included in the configuaration file or the application.
e.g. in the case of DataProtectionConfigurationProvider the decryption key is auto-generated and saved in the Windows Local Security Authority.

When calling the application the .net framework will decrypt the connection string and makes it available to your application. You don't have to write any code to encrypt or decrypt.
Of cource if the memory of the application is compromised, the sensitive information might get compromised as well.

"How does it help to encrypt information in a config file that are afterwards transmitted in clear through the network, e.g. when connecting to a MySQL or FTP server?"
well the original question was "Where should I have configuration information in a file or database, on the basis of security and accessibility",
did not ask anything about securely transmitting the connection string, but in case you are curious you might want to look at Secure connection to SQL Server from Perl DBI