Using user secrets to store sensitive data in. NET Core Programs

Objective

Some sensitive data such as Appsecret or database connection strings, whether hard-coded or written in a configuration file, are often used in development to push to SVN or git. There's no privacy for these sensitive data on open source projects. For private projects once the source control server is hacked, these sensitive data will be exposed. So the best practice is not to write sensitive data into the source code.

In the past, we used to write database connection strings in Web. config. NET The core is written in the Appsettings.json development environment if a developer modifies the connection string in order not to affect the other developers each time they commit the code should ignore the configuration file if you have added other configurations must be committed, either undo the connection string modification before committing or direct commit will affect other developers. Most of the time we just submit a big deal. Other developers pull down the code and modify it. But the best practice is not to write in the configuration file.

Note that the issues mentioned above are in the development environment.

Secret Manager

The. NET core provides us with a tool called Secret Manager that enables the best practices described above to emphasize once again that Secret Manager is only available in the development environment.

Let's talk about Secret manager. It helps us abstract some of the details such as where the data is stored and how it is stored. In short, it helps us to have the data in plaintext in the form of a local JSON file. Different storage locations for the system are not the same.

Windows

%appdata%\microsoft\usersecrets\<usersecretsid>\secrets.json

Linux

~/.microsoft/usersecrets/<usersecretsid>/secrets.json

Mac

~/.microsoft/usersecrets/<usersecretsid>/secrets.json

USERSECRETSID is specified in the. csproj file, as described below.

installation, use

Configure user secrets and access requires two packages for each

Microsoft.Extensions.SecretManager.Tools

Microsoft.Extensions.Configuration.UserSecrets

Let's just say the two. The first is that the toolkit can use the dotnet user-secrets command to store data in a JSON file the second package accesses the data stored in the JSON file through the. NET core configuration system.

Dotnet User-secrets-h

This command allows you to view the usage of the secret manager.

It has 4 commands.

Command	Description	Grammar
Clear	Remove all secrets in the program	dotnet User-secrets Clear
List	Enumerate all the secrets in the program	dotnet user-secrets List
Remove	Deletes the specified secret	dotnet user-secrets Remove Nameofsecret
Set	Set Secret	dotnet User-secrets Set Nameofsecret Valueofsecret

On the Mac example above the command is Operation ~/.microsoft/usersecrets/\/secrets.json This file USERSECRETSID specifies which project is secrets.

USERSECRETSID is specified in the. csproj file.

Value of <PropertyGroup> <usersecretsid>usersecretsid </UserSecretsId></PropertyGroup>

The value of Usersecretsid on Mac or Linux can be generated by Uuidgen.

The Microsoft.Extensions.Configuration.UserSecrets package expands the Configurationbuilder contains an extension method for a addusersecrets. If you want to access user secrets through the configuration, you only need to call Build.addusersecrets ().

if (env. Isdevelopment ()) {//Search for assemblies containing type startup Add User Secrets Configuration source startup can also be replaced by other type builder in other assemblies. Addusersecrets<startup> ();}

Or simply specify USERSECRETSID directly

if (env. Isdevelopment ()) {Builder. Addusersecrets ("Usersecretsid");}

You can then access the user secret by configuration["Nameofsecret").

Project Practice

The following is demonstrated by a console program.

2. mkdir user-secrets && CD user-secrets # Create a new directory

4. dotnet New Console # Create a console app

6. dotnet Restore # Recovery Package

8. dotnet Add package microsoft.extensions.configuration.usersecrets-v 1.1.2 # installation Packages

10. Code. # Open with Visual Studio code

12. Add Usersecretsid to User-secrets.csproj

    <propertygroup><usersecretsid>3bf2d901-89b9-437d-8856-cca63d4606f7</usersecretsid></ Propertygroup>

    and Secretmanager Toolkit

    <itemgroup><dotnetclitoolreference include= "Microsoft.Extensions.SecretManager.Tools" version= "1.0.1"/ ></ItemGroup>

14. dotnet User-secrets Set AppKey 12345 # add secret named AppKey

16. To determine that an environment variable needs to be added in the development environment, you need to install one more package
    dotnet Add Package Microsoft.extensions.configuration.environmentvariables-v 1.1.2

17. Open Program.cs Add the following code

    class program{    public static iconfigurationroot configuration  { get; set; }    static void main (String[] args)      {         var builder = new  Configurationbuilder ()         . Addenvironmentvariables ();        var environment =  Environment.getenvironmentvariable ("Aspnetcore_environment");         if  (environment ==  "development")         {             builder. Addusersecrets<program> ();        }         configuration = builder. Build ();       &nbsP; console.writeline (configuration["AppKey"]);     }} 

19. Run
    Aspnetcore_environment=development dotnet Run
    Or
    Export Aspnetcore_environment=development
    Dotnet Run

The ASP. NET core is similar here to no longer demonstrate.

Using user secrets to store sensitive data in. NET Core Programs