Encrypted configuration in ASP.NET Core

asp.net-mvc asp.net-core asp.net-core-mvc .net-core
Ovi picture Ovi · Mar 17, 2016 · Viewed 48.9k times · Source

With web.config going away, what is the preferred way to store sensitive info (passwords, tokens) in the configurations of a web app built using ASP.NET Core?

Is there a way to automatically get encrypted configuration sections in appsettings.json?

Answer

Luca Ghersi picture Luca Ghersi · Mar 17, 2016

User secrets looks like a good solution for storing passwords, and, generally, application secrets, at least during development.

Check the official Microsoft documentation. You can also review this other SO question.

This is just a way to "hide" your secrets during development process and to avoid disclosing them into the source tree; the Secret Manager tool does not encrypt the stored secrets and should not be treated as a trusted store.

If you want to bring an encrypted appsettings.json to production, you can do so by building a custom configuration provider.

For example:

public class CustomConfigProvider : ConfigurationProvider, IConfigurationSource
{
    public CustomConfigProvider()
    {
    }

    public override void Load()
    {
        Data = UnencryptMyConfiguration();
    }

    private IDictionary<string, string> UnencryptMyConfiguration()
    {
        // do whatever you need to do here, for example load the file and unencrypt key by key
        //Like:
       var configValues = new Dictionary<string, string>
       {
            {"key1", "unencryptedValue1"},
            {"key2", "unencryptedValue2"}
       };
       return configValues;
    }

    private IDictionary<string, string> CreateAndSaveDefaultValues(IDictionary<string, string> defaultDictionary)
    {
        var configValues = new Dictionary<string, string>
        {
            {"key1", "encryptedValue1"},
            {"key2", "encryptedValue2"}
        };
        return configValues;                
    }

    public IConfigurationProvider Build(IConfigurationBuilder builder)
    {
       return new CustomConfigProvider();
    }
}

Define a static class for your extension method:

public static class CustomConfigProviderExtensions
{              
        public static IConfigurationBuilder AddEncryptedProvider(this IConfigurationBuilder builder)
        {
            return builder.Add(new CustomConfigProvider());
        }
}

And then you can activate it:

// Set up configuration sources.
var builder = new ConfigurationBuilder()
    .AddJsonFile("appsettings.json")
    .AddEncryptedProvider()
    .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);

Related questions

ASP.NET Core MVC: setting expiration of identity cookie

In my ASP.NET Core MVC app the lifetime of the authentication cookie is set to 'Session', so it lasts until I close the browser. I use the default authentication scheme for MVC: app.UseIdentity(); How can I extend the …

Read More
Radio Button Tag Helpers in ASP.NET 5 MVC 6

I don't see any tag helpers for radio buttons in ASP.NET 5 MVC 6. What's the right way of handling form elements where I need to use radio buttons?

Read More
What is the equivalent of Server.MapPath in ASP.NET Core?

I have this line in some code I want to copy into my controller, but the compiler complains that The name 'Server' does not exist in the current context var UploadPath = Server.MapPath("~/App_Data/uploads") How can I achieve …

Read More