Secret Management in .NET: Tools, Best Practices, and Practical Examples
Managing secrets like API keys, database connection strings, and certificates is critical for building secure .NET applications. Exposing secrets in source code or configuration files can lead to severe security risks. In this guide, we’ll cover secret management tools for .NET, when to use them, and practical examples.
Secret Management Tools Overview
Local Development
-
dotnet user-secrets: Stores sensitive data outside source code for local development. Not suitable for production.
Managed Cloud Services
- Azure Key Vault: Securely stores secrets, keys, and certificates. Integrates with Managed Identity for credential-less access.
- AWS Secrets Manager / Parameter Store: Equivalent solutions for AWS-hosted applications.
Enterprise / Vault Solutions
- HashiCorp Vault: Offers advanced features like dynamic secrets, secret leasing, RBAC, and auditing. Libraries like VaultSharp make integration with .NET easy.
Containers & Orchestration
- Kubernetes Secrets and Docker Secrets: Suitable for containerized applications. Combine with Vault or Key Vault for extra security.
CI/CD Secret Stores
- GitHub Actions Secrets, GitLab CI variables, Azure DevOps Pipeline variables: Use these to inject secrets during deployment without hardcoding them.
When to Use Which Tool
| Scenario | Recommended Tool |
|---|---|
| Local development | dotnet user-secrets |
| Staging / Production | Azure Key Vault or HashiCorp Vault |
| Containers / Kubernetes | Vault or Key Vault with CSI driver |
| CI/CD | CI/CD secrets store or inject from a central vault |
Best Practices
- Never store secrets in source code or repository.
- Use least privilege (RBAC): services should access only the secrets they need.
- Enable short-lived credentials and automatic rotation.
- Secure CI/CD pipelines: filter logs, avoid printing secrets.
- Encrypt secrets in transit and at rest.
- Enable audit and monitoring for all secret access.
Practical .NET Examples
Using dotnet user-secrets (Local Development)
# Initialize user-secrets for the project
dotnet user-secrets init
# Set a secret
dotnet user-secrets set "ConnectionStrings:Default" "Server=...;User Id=...;Password=..."
ASP.NET Core automatically loads these secrets in the Development environment.
Using Azure Key Vault
// Program.cs (Minimal API / .NET 6+)
var builder = WebApplication.CreateBuilder(args);
// Add Azure Key Vault as a configuration source
builder.Configuration.AddAzureKeyVault(
new Uri("https://<YourVaultName>.vault.azure.net/"),
new DefaultAzureCredential()); // Uses Managed Identity for auth
var app = builder.Build();
Tip: Always use Managed Identity to avoid storing credentials in code.
Using HashiCorp Vault
// Using VaultSharp library
using VaultSharp;
using VaultSharp.V1.AuthMethods.Token;
using VaultSharp.V1.Commons;
var authMethod = new TokenAuthMethodInfo("your-vault-token");
var vaultClientSettings = new VaultClientSettings("https://vault-server:8200", authMethod);
var client = new VaultClient(vaultClientSettings);
Secret<SecretData> secret = await client.V1.Secrets.KeyValue.V2.ReadSecretAsync("myapp/secrets");
string dbPassword = secret.Data.Data["DbPassword"].ToString();
- Optionally use Vault Agent for automatic secret caching and refresh.
Pros and Cons
| Tool | Pros | Cons |
|---|---|---|
| user-secrets | Easy, fast for dev | Not for production |
| Azure Key Vault | Managed, easy integration, encryption built-in | Azure dependency |
| HashiCorp Vault | Feature-rich, multi-cloud, dynamic secrets | Operational complexity |
Practical Tips for .NET Teams
-
Development:
user-secrets+ local environment variables. - Staging/Production: Centralized secret store (Azure Key Vault or HashiCorp Vault). Use Managed Identity or short-lived credentials.
- CI/CD: Inject secrets from vault or CI/CD secrets store. Never log secrets.
- Test rotations & failure scenarios to ensure your app handles temporary secret store unavailability.
- Enable audit & alerts for suspicious access.
Implementing secret management properly makes your .NET applications more secure, maintainable, and compliant with modern security standards.
Top comments (0)