Menu
I followed the Safe storage of app secrets during development guide over on the asp.net docs during development but it does not describe how to use it when publishing to another machine for QA, Production, etc. What I figured it would do was insert them into the appsettings.json during publish but it does not. I ended up having to place my SendGrid keys and other sensitive information directly into the appsettings.json which really defeats the purpose of the app secrets.
Is using app secrets the best way or is there another way to store API keys and SQL user/passwords in my configs?
462
Secrets are stored in a separate configuration file in encrypted form. The secrets are then decrypted at runtime using AWS Key Management Service. This way you can version your secrets along with your application's source code, while avoiding storing secrets in clear text.
User Secrets is a great feature in ASP.NET Core that is an excellent alternative to using environment variables. User Secrets ensures that there is no sensitive data included in the source code. Instead, the user secrets are stored outside of the project folder — inside the user's profile folder in the file system.
Enable secret storage The inner text is arbitrary, but is unique to the project. In Visual Studio, right-click the project in Solution Explorer, and select Manage User Secrets from the context menu.
Don't use app secrets in production. Ever. As the article says DURING DEVELOPMENT.
How you publish secrets in production is up to your production environment. Linux, Windows and Azure all support environment variables - that's where your secrets should go, using whatever UI your hosting provider gives you.
The app settings documentation goes into this in greater detail
98
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
