How To Keep SECRET Strings REALLY SECRET in ASP.NET Core?

Рет қаралды 9,997

Күн бұрын

Пікірлер: 37

@3rd_Century Жыл бұрын

Thank you Dan. On a side note. If you right mouse click on the project file, from the menu you can select "Manage User Secrets". Another way besides the command line. This is in VS 2022.

@Codewrinkles Жыл бұрын

Thanks for the tip. I'll look if it's also available in Rider. I haven't noticed it.

@danielegiovanetti9258 Жыл бұрын

This is the information I need. Special thanks Dan. As always super clear explanation.

@Codewrinkles Жыл бұрын

Glad it was helpful!

@MarllonVilano Жыл бұрын

Thanks for providing exactly the knowledge I needed. I'm gonna combine this with Gitlab environment variables when deploying the application.

@Codewrinkles Жыл бұрын

Glad it was helpful!

@erinh0201 Жыл бұрын

Hi! Did you ever create a video that shows how to store keys in environment variables for production on an on-prem windows server? I know how to create the variables in Windows and deploy the app to IIS, but I would like to see a quick example in the .net core code of how to get it to reference those local environment variables. For instance, is there something we need to add to the program or something so that it knows to look in the local environmental variables? Thanks!

@renatoloefstop 10 ай бұрын

me too!

@emllik2155 7 ай бұрын

For anyone still wondering about this, here's one way you can do it: Environment.SetEnvironmentVariable("DefaultConnection", "connection string value"); string connString = Environment.GetEnvironmentVariable("DefaultConnection"); This way the environment variable exists only for the duration of the running application process. You can just put this inside Program.cs if you like.

@xelaksal6690 Жыл бұрын

Thanks for clear explanation and good examples!

@Codewrinkles Жыл бұрын

Glad it was helpful!

@49riddickful Жыл бұрын

Normally one can use the AzureKeyVault to store the connection strings etc. when deploying your application. Is that correct?

@Codewrinkles Жыл бұрын

Yes, Azure Key Vault would be a go-to. There are other products/services that one could use, like Hashicorp.

@doogiehowser1124 5 ай бұрын

thanks for the video but i think there is a better way to encrypt/hide connection strings. Why use some other package like codewrinkles?

@coding-gemini Жыл бұрын

wow good to know something new, So if the app in on prem and there's no CI/CD how do we switch between the user secrets based on environment ?

@dfcw Жыл бұрын

You know how he uses "dev" to get the connection string. That "dev" could be a value stored in your appsettings.json per enviroment. i.e, different secrets for different enviroments.

@zephycz3537 Жыл бұрын

Very useful video, thanks 😉👍 . I got error "Could not find the global property 'UserSecretsId' in MSBuild project ...", but helped me call "dotnet user-secrets init" before calling " dotnet user-secrets set ...", then all was ok 🙂 .

@muradhossen2347 Жыл бұрын

Thank you for teaching me something new.

@Codewrinkles Жыл бұрын

My pleasure 😊

@Pedro-il8kx Жыл бұрын

Excellent, as always

@Codewrinkles Жыл бұрын

Thanks for watching

@MihaiMoisei Жыл бұрын

Like always very good content, Thanks.

@Codewrinkles Жыл бұрын

Thanks again!

@dharwal87 Жыл бұрын

Environment variables and user secrets are not best practice for production. You should go for azure key vault.

@societysvillain Жыл бұрын

Assuming the shop is running on Azure and not on-prem or something sure.

@dharwal87 Жыл бұрын

@@societysvillain you can use key vault even if your app is not in azure. If you don't want to use azure key vault its better to use encrypted secrets in your config.

@Barto2You Жыл бұрын

@@dharwal87 The encrypted secret should also be decrypted in your application. so if you don't want to use an env variable for storing your key for the decryption where do your store that key?

@dharwal87 Жыл бұрын

@@Barto2You It is always recommended to use certificate-based encryption and decryption. During deployment, the certificate's public key is used to encrypt the configuration values, and then the application loads the certificate and uses its private key to decrypt them. The certificate should be installed on your web server and password-protected.

@Barto2You Жыл бұрын

@@dharwal87 thx, do you know perhaps a good example on the internet of how to achieve this?