Working With User Secrets in ASP.NET Core Applications

in the past, there was a study about critical data in github projects. they wrote a crawler to find passwords, user names and other secret stuff in projects on github. and they found a lot of such data in public projects, even in the projects of huge companies, which should care about security.

most of this credentials are stored in .config files. for sure, you need to configure the access to a database somewhere, you also need to configure the credentials to storages, mail servers, ftp, whatever. in many cases, these credentials are used for development, with a lot more rights than the production credentials.

the fact is,  secret information shouldn't be pushed to any public source code repository. even better, not pushed to any source code repository.

but what is the solution? how should we tell our app where to get this secret information?

on azure, you are able to configure your settings directly in the application settings of your web app. this overrides the settings of your config file. it doesn't matter if it's a web.config or an appsettings.json.

but we can't do the same on the local development machine. there is no configuration like this. how and where do we save secret credentials?

with .core, there is something similar now. there is a secretmanager tool, provided by the .net core sdk (microsoft.extensions.secretmanager.tools), which you can access with the .net cli.

this tool stores your secrets locally on your machine. this is not a highly secure password manager like keypass. it is not really high secure, but on your development machine, it provides the possibility not to store your secrets in a config file inside your project. and this is the important thing here.

to use the secretmanager tool, you need to add that tool in the "tools" section of your project.json, like this:

"microsoft.extensions.secretmanager.tools": {
  "version": "1.0.0-preview2-final",
  "imports": "portable-net45+win8+dnxcore50"
},

be sure you have a usersecretsid in your project.json. with this id the secretmanager tool assigns the user secrets to your app:

"usersecretsid": "aspnet-usersecretdemo-79c563d8-751d-48e5-a5b1-d0ec19e5d2b0", 

if you create a new asp.net core project with visual studio, the secretmanager tool is already added.

now you just need to access your secrets inside your app. in a new visual studio project, this should also already be done and look like this:

public startup(ihostingenvironment env)
{
    _hostingenvironment = env;

    var builder = new configurationbuilder()
        .setbasepath(env.contentrootpath)
        .addjsonfile("appsettings.json", optional: true, reloadonchange: true)
        .addjsonfile($"appsettings.{env.environmentname}.json", optional: true);

    if (env.isdevelopment())
    {
        // for more details on using the user secret store see 
        // http://go.microsoft.com/fwlink/?linkid=532709
        builder.addusersecrets();

        // this will push telemetry data through application 
        // insights pipeline faster, allowing you to view results 
        // immediately.
        builder.addapplicationinsightssettings(developermode: true);
    }

    builder.addenvironmentvariables();
    configuration = builder.build();
}

if you do not have a visual studio project that already contains the above code, create a nuget reference to microsoft.extensions.configuration.usersecrets 1.0.0 in your project.json and add builder.addusersecrets(); as shown here.

the extension method, addusersecrets() , loads the secret information of that project into the configurationbuilder . if the keys of the secrets are equal to the keys in the previously defined appsettings.json , the app settings will be overwritten.

if this all is done, you will able to use the tool to store new secrets:

dotnet user-secrets set key value 

if you create a separate section in your appsettings.config as equal to the existing settings, you need to combine the user secret key with the sections name and the settings name, separated by a colon.

i created settings like this:

"appsettings": {
    "mysecretkey": "hallo from appsettings",
    "mytopsecretkey": "hallo from appsettings"
},

to overwrite the keys with the values from the secretmanager tool, i need to create entries like this:

dotnet user-secrets set appsettings:mysecretkey "hello from usersecretstore"
dotnet user-secrets set appsettings:mytopsecretkey "hello from usersecretstore"

note: to override existing keys with new values, just call set the secret again with the same key and the new value.

this way to handle secret data works pretty well for me.

the secretmanager tool knows three more commands:

• dotnet user-secrets clear : removes all secrets from the store.
• dotnet user-secrets list : shows you all existing keys.
• dotnet user-secrets remove <key> : removes the specific key.

just type dotnet user-secrets --help to see more information about the existing commands.

if you need to handle some more secrets in your project, it could make sense to create a small batch file to add the keys, or to share the settings with build and test environments. but never ever push this file to the source code repository.