The Easiest Way to Manage Developer Application Secrets

When setting up a new .NET Core project, one must be careful about where to store secret information, such as passwords and connection strings with sensitive data. Nowadays, it is very easy to start a new project and share its source code with the whole world, and likewise, it is very easy to share your secret information if you are not careful. It is of utmost importance that secrets are kept that way.

Azure makes it easy to store secrets on production websites and keeping them safe, but it’s mostly in their own development environment where most beginners struggle. If the software that you are building needs a password to connect to a database, the tooling will lead you down the path to storing it directly in the application settings. But then it would end up in the source code. Storing secrets inside source code has to be avoided at all costs!

The next best thing, and equally cheap at the price of free is to store your secrets in your own personal folder and retrieve them from there when needed. Luckily Visual Studio can do this out of the box. One important fact to be aware of before we continue is that this method does not encrypt the secret data in any way. It just stores it in your own personal folder, which is definitely safer than storing it in source code online but can still be compromised by someone who has access to your computer.

Start by right-clicking the project name inside the Solution Explorer window. The context menu will have an option to Manage User Secrets.

Project context menu shows option to manage secrets

Once you choose this option, Visual Studio will create an empty file named secrets.json inside your user folder. Now you can add as many secrets as you need inside this file. Each secret is stored as a key-value pair.

{
  "passwordForLifeAndEverything": "42"
}

All you need now is to read the value inside your code. This can be simply done by using the Configuration API.

string mySecret = Configuration["passwordForLifeAndEverything"];

When running the solution inside Visual Studio, it will automatically fetch the required data from your secrets file. Remember that this will only work for you on your own machine, and the other developers need to configure a similar setup on theirs. But the added advantage here is that everyone can have their own secrets, which is also better than sharing the same secrets with the whole team.

Secrets can also be grouped together by nesting JSON objects inside one another, such as the following secrets for a fictional mailing service.

{
    "MailService": {
        "Account": "dumdedum",
        "SecretKey": "SomethingLike8TGRKC4L71..."
    }
}

Then you can refer to each key individually by using the colon character to symbolise the hierarchical relation between the keys, for example:

string mailAccount = Configuration["MailService:Account"];
string mailKey = Configuration["MailService:SecretKey"];

You can also read them together as a group, for example in the ConfigureServices method you can add

services.Configure<MailSettings>(Configuration.GetSection("MailService"));

where MailSettings would be a class with the two mail service properties which will be automatically bound at runtime.

Secrets management is definitely an underestimated Visual Studio feature that tackle one of the most rampant credential dissemination issues inside the open-source world. This feature is also available as an extension in Visual Studio Code.

Buy me a coffee Buy me a coffee

0 comments

Add your comments