0

Every year or two, we say to ourselves "Time to encrypt parts of the .config files (that include sql connection strings, etc.)"

Each time we dig in and say "Ouch, machine keys and stuff, that looks hard to manage." Every time we start walking through aspnet_regiis and the encryption chain, we say "how do we manage this across devops, version control, deployment and run time?"

We are now on Win2012-R2. Our .config files live in version control, and are pushed to between two and ten machines (depending on the app in question). Our apps are: asp.net apps under IIS, windows service apps, and (new!) nancy-hosted web servers (basically a windows service). We would like to encrypt several sections.

Is there a direct/simple way to achieve across devops, version control, deployment and run time?? (or an alternative to putting sensitive info in .config files?)

Jonesome Reinstate Monica
  • 5,445
  • 10
  • 56
  • 82

1 Answers1

0

Take a look at Vault from Hashicorp.

https://www.vaultproject.io/

It is an increasingly commonly deployed solution to the problem of secrets management in a devops/configuration management context, and it runs on Windows.

Jonah Benton
  • 1,252
  • 7
  • 13
  • Does Vault handle secrets in .net config files , in a super easy or transparent way? (Transparent to the app consuming the config) – Jonesome Reinstate Monica Aug 28 '16 at 04:25
  • Well, Vault handles the hard part of ensuring that secrets are safely stored and distributed throughout an infrastructure, but the specific mechanisms for injecting them into application configuration appropriately have to be done by the application. The most common practice is to have the application know that configuration point X is a secret and should be pulled in using a secrets provider, which can then be bound to vault. When adding new secrets, this pattern can be reused. – Jonah Benton Aug 29 '16 at 08:56
  • Thx. Vault is interesting, but this is not a direct answer to the q – Jonesome Reinstate Monica Aug 29 '16 at 14:30
  • 1
    Vault is an alternative to putting sensitive infomation in config files, which is one of the requested requirements.. Encrypted file systems are a transparent solution. Neither is simple nor direct. I wonder if simple/direct may describe any solution involving encryption or sensitive information. – Jonah Benton Aug 29 '16 at 15:08