1

Okay so I have a Web API I am making for talking to a SQL Azure database and following this tutorial here: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-security-tutorial

I get to the section I already know on how to copy the Azure connnection strings and there are ones like this(ADO.NET):

Server=tcp:{myDatabase}.database.windows.net,1433;Initial Catalog=Expenses;Persist Security Info=False;User ID={your_username};Password={your_password};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;

I know I have to provide my credentials and I can put them in and get the API to work just fine. My question is how do I protect this string if I save it to GitHub or under source control? In the past with .NET I did a method with a protected configuration as shown here: https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/connection-strings-and-configuration-files

Basically something like this:

<connectionStrings configProtectionProvider="DataProtectionConfigurationProvider">
    <EncryptedData>
      <CipherData>
        <CipherValue>{long ciphered value}</CipherValue>
      </CipherData>
    </EncryptedData>
  </connectionStrings>

I was attempting to potentially extend services off of something like this article: Encrypted Configuration in ASP.NET Core

However I am using Azure and I know that mixing Azure into the mix gives you some other things to do as well. Are there any suggestions by people that have used Azure Databases on how they secure their connection string or at least a link to get me started?

djangojazz
  • 14,131
  • 10
  • 56
  • 94
  • There is guidance for that [here](https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?view=aspnetcore-2.1&tabs=basicconfiguration). BTW, I would not recommend putting even encrypted settings up on Github. – Crowcoder Jul 20 '18 at 14:33
  • @Crowcoder Well then do you just add a gitignore or equivalent for that file? Also the example you gave just delves into the connection string obtaining methods, not encrypting it. – djangojazz Jul 20 '18 at 15:29

2 Answers2

2

I guess that you are using Azure Sql Authentication ( which needs a username and password) or Azure Integrated Security with password, that's why you are concerned about protecting the credentials.

If there is an option I would suggest to use Azure Integrated Security(equivalent to Windows integrated security) which avoids exposing the user/service principal credentials in connection strings. It just needs that account in azure active directory.

If this is not an option to consider we can look for storing the connection string in Azure Key Vault and retrieving it dynamically for establishing database connection.

Avanish
  • 345
  • 3
  • 9
  • I think I am going to go with user secrets reading on this example: https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-2.1&tabs=windows. However it notes not to use this for production so I may use this: https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.1&tabs=aspnetcore2x later. The latter seems like a lot more work to get set up and I am still working on my API at this point. – djangojazz Jul 23 '18 at 14:27
  • Are you referring to the managed identities functionality? From my (limited) understanding [this might not be possible with .NET Core 2.1 and using App Services](https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi). – Fluous Nov 23 '18 at 14:23
0

If you are using Azure App Services there is another way of securely storing your connection strings (and other application secrets). In the Azure portal you can add these settings in the dashboard for your app service, under 'Application settings'. When you scroll down you will eventually come across the 'Application settings' and 'Connection strings' headers. As stated on the dashboard these settings are encrypted at rest and transmitted over an encrypted channel.

Screenshot secure settings for app services

Fluous
  • 2,075
  • 2
  • 17
  • 29