2

In my production env right now I have my key hard coded:

new SigningCredentials(new SymmetricSecurityKey("my jey bla bla"), SecurityAlgorithms.HmacSha256Signature);

Moving the key to a config file is a bad idea, placing it here is even worst.

What is the best way to store and use the SymmetricSecurityKey?

Thanks

SexyMF
  • 10,657
  • 33
  • 102
  • 206
  • Are you sure that you are dealing with .NET Core? SymmetricSecurityKey doesn't seem to be avilable there. At least not according to the [documentation](https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.symmetricsecuritykey?view=netframework-4.8&viewFallbackFrom=netcore-3.0) – fredrik Nov 25 '19 at 08:09
  • @fredrik you are correct, my bad, im in a .net core app which is using .net framework in this case: `using System.IdentityModel.Tokens.Jwt;` – SexyMF Nov 25 '19 at 08:18

3 Answers3

0

The best practice is to store your secrets in environment variables.

Windows:

SET JWT_KEY="my jey bla bla"

Linux:

export JWT_KEY="my jey bla bla"

Then, to access it in your code you can use the System.Environment class. Specifically, the Environment.GetEnvironmentVariable method:

string jwtKey = Environment.GetEnvironmentVariable("JWT_KEY");
Yarden Shoham
  • 201
  • 2
  • 9
  • I think this is not the idlest place to save this. when you work in the cloud, you cant restrict from everyone... TODA – SexyMF Nov 25 '19 at 08:23
  • @SexyMF What do you mean by that? Cloud service providers let you set environment variables. – Yarden Shoham Nov 25 '19 at 19:36
  • This answer is incorrect as I understand. The Environment Variables are stored inside a launchSettings.json (inside the Properties folder of your project), and according to the official documentation, the launchSettings.json is not deployed for your production environment. Source: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/environments?view=aspnetcore-7.0#lsj – Ramiro G.M. Dec 17 '22 at 21:05
0

For secrets in your development environment you can store those in either environment variables or use the secrets storage in visual studio. You can read about it here. For test, integration or development you can use the secrets logic that is available in your CI. (assuming your CI supports this.) (For instance in GitLab you can read about it here.)

Environment variables

Environment variables are used to avoid storage of app secrets in code or in local configuration files. Environment variables override configuration values for all previously specified configuration sources.

Consider an ASP.NET Core web app in which Individual User Accounts security is enabled. A default database connection string is included in the project's appsettings.json file with the key DefaultConnection. The default connection string is for LocalDB, which runs in user mode and doesn't require a password. During app deployment, the DefaultConnection key value can be overridden with an environment variable's value. The environment variable may store the complete connection string with sensitive credentials.

Warning

Environment variables are generally stored in plain, unencrypted text. If the machine or process is compromised, environment variables can be accessed by untrusted parties. Additional measures to prevent disclosure of user secrets may be required.

Secret manager tool

The Secret Manager tool stores sensitive data during the development of an ASP.NET Core project. In this context, a piece of sensitive data is an app secret. App secrets are stored in a separate location from the project tree. The app secrets are associated with a specific project or shared across several projects. The app secrets aren't checked into source control.

Warning

The Secret Manager tool doesn't encrypt the stored secrets and shouldn't be treated as a trusted store. It's for development purposes only. The keys and values are stored in a JSON configuration file in the user profile directory.

RoelA
  • 581
  • 4
  • 15
  • Both environment variables and secret manager tool only work in DEVELOPMENT. Please read this: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?view=aspnetcore-7.0. The "only" secure option microsoft gives is the Azure Key Vault. – Ramiro G.M. Dec 17 '22 at 21:02
  • @RamiroG.M. I guess my part about how to handle production came off confusing. (if now updated it) Values for production are stored in the CI, not in the secrets manager from MS. I linked to how this works in Gitlab for instance. So locally you store in the secrets manager and for the other OTAP parts you store it in your CI secure storage. – RoelA Dec 19 '22 at 07:29
0

Both answers previously given I think are wrong. Both 1) environment variables and 2) secret manager tool only work in DEVELOPMENT. Please read this:

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?view=aspnetcore-7.0#security-and-user-secrets

The "only" secure option microsoft gives us is the Azure Key Vault. I'm afraid I always set this things on the appsettings.json because it seems to be the only affordable way. If someone knows a better way, please share with us all...Blessings

Ramiro G.M.
  • 357
  • 4
  • 7