is there a ‘best practice’ or a ‘hashicorp’ module, that can help with the following?
A new desktop WPF C# aspnetcore app with no guaranteed internet connection, needs to make a connection to a network SQL database. The connection string has a username and password that the user is not privileged to know.
How should the un/pwd credentials be stored securely? They are sent to the dotnet ConnectionString Builder in clear text.
Have you tried approle’s response wrapped tokens in pull mode?
Hi! The closest thing that would be helpful for this use case is the MSSQL database secrets engine, I think, described here. It obviously wouldn’t be able to help when there’s no internet available unless both Vault and the database are on the same server. But, it can give ephemeral credentials that could be set to expire quickly so even if they were in clear text and leaked, the impact could be more limited.
nice idea but the thing i’m trying to connect to is a SQL database. so i couldn’t do that without a password which would be stored in a … SQL database. 
Thank you for your suggestion. That is a lot of new words for me. I’ll look into how to make all that into a DLL and include it in a windows desktop app project …