Secrets management in .NET Core

Development environment: User Secrets

What it is: A lightweight, cross-platform tool that stores secrets in a JSON file outside the project directory, in the user's profile. This prevents sensitive data from being accidentally checked into source control (e.g., Git).

How it works: Visual Studio can manage secrets via a context menu, or you can use the dotnet user-secrets command-line tool. The UserSecretsId in the project file links the project to its corresponding secrets.json file.

Example:

Initialize User Secrets:

dotnet user-secrets init

Set a secret:

dotnet user-secrets set "MyService:ApiKey" "my-development-api-key"

Access the secret in your application:

// Program.cs
var builder = WebApplication.CreateBuilder(args);
var myApiKey = builder.Configuration["MyService:ApiKey"];

Production environment: Environment Variables

What it is: Environment variables are key-value pairs configured on the hosting machine that can be read by your application at runtime.

Why use it: This method is ideal for cloud environments and containerized applications (e.g., Docker, Kubernetes) because it separates the configuration from the application package.

Example:

On a Linux/macOS system:

export MyService__ApiKey="my-production-api-key"

(The .NET configuration system replaces __ with the hierarchy separator :).

In your code, you access it the same way as a User Secret:

// Program.cs
var myApiKey = builder.Configuration["MyService:ApiKey"];

Cloud-Native Production: Key Vault

What it is: Cloud-based secret stores, like Azure Key Vault or AWS Secrets Manager, offer a centralized, secure service for managing application secrets. They provide encryption, access control, and audit logging.

How it works in .NET: A NuGet package and the DefaultAzureCredential simplify integration, allowing your application to retrieve secrets securely from the vault without any hard-coded credentials.

Example:

Install the required NuGet packages: Azure.Extensions.AspNetCore.Configuration.Secrets and Azure.Identity.

Configure your application to use the Key Vault:

var builder = WebApplication.CreateBuilder(args);
var keyVaultUri = new Uri(builder.Configuration["KeyVaultUri"]);
builder.Configuration.AddAzureKeyVault(keyVaultUri, new DefaultAzureCredential());
var app = builder.Build();

Advantages

• Prevents hard-coding: Eliminates the major security risk of embedding sensitive data directly in source code or configuration files.
• Environment-specific configuration: Enables seamless deployment across different environments (development, staging, production) by loading the correct secrets based on the context.
• Enhanced security: Secure storage (like Key Vault) provides encryption-at-rest and in-transit, along with granular access controls.
• Centralized management: Tools like Key Vault allow for centralized management, auditing, and monitoring of all application secrets.
• Automated rotation: Secret management systems can automate the rotation of secrets (e.g., database passwords), significantly reducing security risk.

Disadvantages

• Increased complexity: Introducing specialized secret management tools and processes adds overhead to the development and deployment process.
• Cost of services: Cloud-based secret vaults typically incur costs based on the number of secrets stored and API calls made.
• Dependencies and potential throttling: Relying on external services for secrets can introduce dependencies. Cloud services may impose API request throttling that can affect performance.
• Learning curve: Developers and DevOps teams need to be trained on the new tools, processes, and security best practices.
• Startup time overhead: Retrieving secrets from a remote service during application startup can add a small amount of latency.

Best practices and tips

• Use User Secrets for development only. Never use the secrets.json file for production environments, as the secrets are stored unencrypted.
• Use environment variables for simplicity. For containerized and smaller cloud-hosted applications, environment variables are a simple and effective way to handle production secrets.
• Leverage cloud-based vaults for production. For enterprise-grade security and scalability, use a dedicated vault service like Azure Key Vault or AWS Secrets Manager.
• Implement least-privilege access. Ensure that applications and users only have the minimum required permissions to access secrets. Use role-based access control (RBAC) wherever possible.
• Automate secret rotation. Configure your secret management system to automatically rotate secrets on a regular schedule. This limits the lifespan of a compromised secret.
• Use Managed Identities. When deploying to Azure, use Managed Identities to provide an identity for your application, eliminating the need to manage credentials yourself.
• Monitor and audit access. Take advantage of audit trails to track who is accessing secrets and when. Monitor for anomalous access patterns.
• Protect your "Secret Zero." The initial credential used to access the secret management system is critical. Secure this "Secret Zero" with the strongest possible authentication and protection.

Precautions

• Never commit secrets to source control. Ensure that configuration files containing secrets are ignored by your version control system (e.g., in .gitignore).
• Watch for secrets in logs. Be careful not to log sensitive information. Ensure your application's logging configuration redacts or avoids logging secrets.
• Encrypt secrets at rest and in transit. Ensure your chosen solution encrypts data when it is stored and uses TLS for transport.
• Plan for outages. Have a "break-glass" procedure in case your secret management service becomes unavailable. Back up your secrets to a separate, secure location.
• Isolate environments. Use separate secret stores for development, staging, and production. Never share secrets between environments.
• Don't rely on file location. Microsoft's User Secrets implementation details can change. Always use the .NET configuration API to retrieve secrets, not file paths.