Don't have Azure? Grab a free subscription.
I think almost everyone has committed a secret, key or password to git at some point in their development careers. I definitely have. And if you think you haven't, go double-check.
It sucks. And it's easy to do.
Azure's solution for secrets management is Azure Key Vault.
But what if you wanted to roll your own solution? We're engineers after all...
Rolling Your Own Secret Manager
Azure Key Vault is cheap but not completely free. And there is an overhead of learning the service. (Though I'd argue it's extremely simple.)
Secret Manager is a Microsoft solution for storing sensitive data during the development of an ASP.NET Core project.
Information is always stored in the user profile directory such as
%APPDATA%\microsoft\UserSecrets\<userSecretsId>\secrets.jsonfor Windows or
This means if other folks want to get your key store, they can target those directories b/c the JSON file is unencrypted. Not that my version is encrypted, it just isn’t stored in the user profile directory.
If you work in .NET Core, you can prevent an accidental push of sensitive data to GitHub.
Create a new .NET Core App in Visual Studio.
Add a file called
appSecrets.json and define a couple of secrets that you don’t want released.
appSecrets.json file to
Copy if newer inside of Visual Studio.
Add the following NuGet packages that allow you to easily read a local JSON file (such as your
appSecrets.json) and extract key pieces of information:
Add the following code inside the Main method. This uses
ConfigurationBuilder and searches for the file.
var builder = new ConfigurationBuilder()
.AddJsonFile("appSecrets.json", optional: false, reloadOnChange: true);
IConfigurationRoot configuration = builder.Build();
You can now access the value of the string with the following:
/.gitignore to ignore the
appSecrets.json that you added.
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
You can verify this file is ignored by looking for the red circle if using Visual Studio.
Not too complicated. But! I really do recommend using Azure Key Vault as it's simple and can protect you across your entire software delivery lifecycle.
Want to read more on secrets in Azure? We've got you covered on everything keys, secrets and certificates.!
We'll be posting articles every day in April, so stay tuned or jump ahead and check out more tips and tricks now.