6

I'm new in ASP.Net core, I try to develop ASP.Net core MVC Web API. I need connect to my database. I no idea where I should put my connection string. I put it in appsettings.json file. But it will expose my database password when i deploy the API to the non Azure hosting. I try secret manager but it seem like just for development stage,not sure I understand right or not. I try to put in Environment variable but it not work when in my IIS hsoting. May i know how I can secure my sensitive data when deploy to Non Azure hosting. Where should I put?

Improve this question
5
  • Are you worried that your ISP can read your appsettings.json? Commented Jan 8, 2020 at 15:04
  • I am not sure about this, but I BELIEVE that IIS just doesn't serve the appsettings.json file, so if someone tries to surf to it, they will just get a 404 Commented Jan 8, 2020 at 15:04
  • @Steve some sort, just worry. And read some article say that it is not a good idea store the sensitive data in config file. So, thinking how real world deploy the connection string. Commented Jan 8, 2020 at 15:17
  • @StevenLemmens ya, it will not able to surf. But it is secure to store in appsettings.json file when deploy to hsoting? Commented Jan 8, 2020 at 15:18
  • 1
    It won't be served via IIS but it is still a problem that needs to be solved for a scenario where somebody could gain access to your server. Many Microsoft docs for ASP.NET Core seem to want to push people to Azure for many different services to resolve possible problems or security concerns and it's a bit frustrating to be honest. You could encrypt your appsettings at deploy time and decrypt at runtime. Commented Jan 8, 2020 at 15:48

3 Answers 3

Reset to default
3

Your main choices are:

  • JSON (unencrypted)
  • Environment variable (unencrypted)
  • Azure Key Vault (encrypted)

As you correctly ascertained, JSON will be plain-text and is undesirable as a result, mostly because of source control. If you're working on a closed-source solution, this is less of an issue, though. Once deployed on the server, file permissions can keep the details from prying eyes. User secrets is just JSON. It's better in that it's kept out of your project (so it doesn't get committed to your source control), but it's still stored unencrypted, and yes, it's only for development.

Azure Key Vault is the only built-in option that allows encryption, and thus, is the most secure option. You can use Azure Key Vault whether or not your app is actually hosted in Azure. However, it's not free (though, it's also not very expensive).

Environment variables are what's most commonly used outside of Azure Key Vault. While unencrypted, they're stored on the server (outside your project) and are only visible to users with sufficient privileges on that server. If a malicious actor is able to gain access to an account with privileges to view the environment variables, it could be argued that you have far worse problems than exposing database credentials, already.

If the environment variables are not being seen by your app, there's two things to look at:

  1. Ensure that you've added them as system variables and not user variables. User variables are only accessible by the user logged in while adding them (i.e. you), which is almost assuredly not the same user the web server is running as. Alternatively, you can log in add the web server user to add the variables as user variables. This is common when running under a service account. It adds a questionable degree of extra security as only that one account can see the values, not any admin level account (smaller attack surface).

  2. If using IIS, you must edit the advanced settings of the App Pool, and enable "Load User Profile" from there.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Also look at AWS secure parameter store. You don't have to be tied to azure for external environment variables
1

There is analog of Azure KeyVault it free and open source.You can store there your connection strings and others sensitive data.Also there is client library for .net

Improve this answer

Comments

0

I use "Manage Web secrets" to save db and any other crucial data secret from other developers and team mates

This will help you isolate, various platforms as well

you can read more at https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-3.1&tabs=windows

Improve this answer

2 Comments

When I publish my project, I get a "appsettings.production.secrets.json" published on our servers and I ensure the details are correct in this JSON file
If store in Environment variable, it only for particular user. When the API deploy to the hosting, it's won't work because API can't get the connection string. am I right? If store in appsettings.json and it is plain text, will it danger because it will expose the sensitive data.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.