0

What are best ways to store and use sensitive config information such as a connection string. I have used to store those in either app.config, web.config, and now in config.json as a plain text. This is not secure, especially when checking those files into publicly available source control. What are the most secure ways to store that type of data, and utilize within an app?

Improve this question
8
  • 1. The app.config and web.config allow for encryption on the connection strings. 2. Do not check sensitive information into source control, thats not what source control is for. 3. not sure what you mean by personal key to some sort of device - this is too vague to attempt to answer as that could be anything. Commented Aug 4, 2016 at 17:32
  • personal key to some sort of device == anything sensitive Commented Aug 4, 2016 at 17:35
  • That is still very vague. That could be user specific, it could be some static (central device) like a data store, maybe there are many of them, maybe there is only a single key. the questions go on. Also what/who gets to read that "key"? a user, any executing code?? Commented Aug 4, 2016 at 17:36
  • It is not important, I have removed that part from the question. Lets stick with the connection string. I would like to check the config.json into Git repository, but dont like the fact that I have the connection string in plain text there. I still would love an option to log into other system, download the repository, and run the app. The connection string is an Azure db connection. Commented Aug 4, 2016 at 17:43
  • google.com/search?q=.net%20secure%20connection%20string offers plenty of results. Commented Aug 4, 2016 at 17:47

2 Answers 2

Reset to default
1

especially when checking those files into publicly available source control.

Don't do that.

That's exactly the point of putting your secret settings inside a config file, because you don't want to share them with the world. It's totally fine to have them in files on the machine - one would expect that people using your software have secured their machine to a certain point.

If you can't trust your users, then you need to store the config on your machine, and give your users an access token (say a username and password, or OAuth token) that they can use to talk to you, and then you keep the configs safe and secret.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Agreed, I still would like to check the config file in, due to the fact that I keep some other settings there that can be exposed to public, but have those very sensitive data like conn string somewhere else. I was managed to implement what I was after with Environment Variables. Thanks for the response
You could always provide a way to create a default config file.
1

After few things I have tried, the best solution I found is to use Environment Variables on Windows system. Not sure how that will work once I will deploy to the Azure, but for now it is working as expected. In my ASP.NET Core in the Startup.cs I add AddEnvironmentVariables:

    public Startup(IHostingEnvironment appEnv)
    {
        var builder = new ConfigurationBuilder()
            .SetBasePath(appEnv.ContentRootPath)
            .AddJsonFile("config.json")
            .AddEnvironmentVariables();


        Configuration = builder.Build();
    }

Here is the connection string:

enter image description here

To consume it:

string connStr= Startup.Configuration["Data:WorldContextConnection"];

In that case I can check every single file into GitHub, the only thing is that I would need to always add those Environmental Variables into a system I will be working on.

Improve this answer

2 Comments

I would go with command line variables then just have the thing that launches the executable pass in the values it needs. This approach plays nicer with launching a service from Azure too.
I like your suggestion, yes this is another very good and secure option, didn't know it can be implemented with Azure, will try that out for sure, thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.