ASP.NET - Secrets Management in ASP.NET (Using Azure Key Vault and Other Tools)

Secrets management is a critical aspect of building secure ASP.NET applications. “Secrets” refer to sensitive data such as database connection strings, API keys, encryption keys, OAuth tokens, and certificates. Improper handling of these secrets can lead to serious security vulnerabilities, including data breaches and unauthorized access.

What is Sec

Chapters

rets Management?

Secrets management is the practice of securely storing, accessing, and controlling sensitive information used by applications. Instead of hardcoding secrets into configuration files or source code, modern applications use secure storage systems that provide controlled access and auditing.

Why Secrets Management is Important

Hardcoding secrets in files like appsettings.json or environment variables can expose them through:

  • Source code repositories (especially public ones)

  • Accidental logging

  • Unauthorized access to servers

A proper secrets management system ensures:

  • Secrets are encrypted at rest and in transit

  • Access is controlled via authentication and authorization

  • Secrets can be rotated without redeploying the application

  • Usage is monitored and audited

Common Approaches to Secrets Management in ASP.NET

1. Environment Variables

Secrets can be stored as environment variables on the host machine. ASP.NET Core supports reading these automatically.

Limitations:

  • Difficult to manage at scale

  • No built-in rotation or auditing

  • Risk of exposure on shared systems

2. User Secrets (Development Only)

ASP.NET Core provides a local secrets storage mechanism for development using the dotnet user-secrets tool.

Key features:

  • Stores secrets outside the project directory

  • Not committed to source control

  • Intended only for development environments

3. Azure Key Vault (Enterprise-Grade Solution)

Microsoft offers Azure Key Vault, a secure cloud service designed specifically for managing secrets, keys, and certificates.

What is Azure Key Vault?

Azure Key Vault is a centralized service that allows applications to securely store and access:

  • Secrets (passwords, API keys)

  • Cryptographic keys

  • SSL/TLS certificates

It integrates seamlessly with ASP.NET Core applications and provides enterprise-level security features.

Key Features of Azure Key Vault

  1. Centralized Secret Storage
    All secrets are stored in one secure location rather than scattered across multiple files or systems.

  2. Strong Access Control
    Uses Azure Active Directory (AAD) for authentication and role-based access control.

  3. Encryption
    Secrets are encrypted both at rest and in transit.

  4. Secret Versioning
    Multiple versions of a secret can exist, enabling safe updates and rollbacks.

  5. Automatic Rotation
    Secrets can be rotated periodically without downtime.

  6. Auditing and Monitoring
    Every access is logged for security and compliance purposes.

How to Use Azure Key Vault in ASP.NET Core

Step 1: Create a Key Vault

  • Create a Key Vault instance in Azure

  • Add secrets (e.g., connection strings, API keys)

Step 2: Authenticate the Application

Use one of the following:

  • Managed Identity (recommended for Azure-hosted apps)

  • Client ID and Secret (for external apps)

Step 3: Install Required Package

Add the Key Vault configuration provider:

Microsoft.Extensions.Configuration.AzureKeyVault

Step 4: Configure in Program.cs

Example:

builder.Configuration.AddAzureKeyVault(
    new Uri("https://your-keyvault-name.vault.azure.net/"),
    new DefaultAzureCredential());

Step 5: Access Secrets

Secrets can now be accessed like regular configuration values:

var connectionString = builder.Configuration["MyDbConnection"];

Managed Identity (Recommended Approach)

Managed Identity allows your ASP.NET application to authenticate with Azure services without storing credentials in code.

Benefits:

  • No secrets stored in application code

  • Automatic credential management

  • More secure than client secrets

Best Practices for Secrets Management

  1. Never store secrets in source code

  2. Use separate vaults for development, staging, and production

  3. Enable logging and monitoring for secret access

  4. Rotate secrets regularly

  5. Apply least-privilege access control

  6. Use managed identities whenever possible

  7. Avoid exposing secrets in logs or error messages

Alternatives to Azure Key Vault

While Azure Key Vault is widely used, other tools include:

  • AWS Secrets Manager

  • HashiCorp Vault

  • Google Secret Manager

These provide similar features but are tied to different cloud ecosystems.

Real-World Use Case

Consider an ASP.NET Core API that connects to a database and external payment gateway:

  • Database connection string stored in Key Vault

  • Payment API key stored securely

  • Application retrieves secrets at runtime

  • If a key is compromised, it can be rotated without redeploying the app

Conclusion

Secrets management is essential for building secure and scalable ASP.NET applications. Using a service like Azure Key Vault ensures that sensitive data is protected, centrally managed, and easily maintainable. As applications grow and move to the cloud, adopting proper secrets management practices becomes not just recommended, but necessary.