Learn the best practices to handle secrets in .NET applications using environment variables, user secrets, configuration files, and Azure Key Vault. Keep your credentials safe and your architecture clean.
🔐 How to Store Secrets Securely in .NET
When building .NET applications, you’ll often need to handle secrets like API keys, connection strings, or credentials. Storing these securely is essential to prevent accidental exposure or security breaches.
In this guide, we’ll explore the main methods for managing secrets in .NET:
- Configuration sources in .NET
- When to use each method
- Security best practices
- Practical examples using
IOptions<T> - Managing secrets across environments (Dev, QA, Prod)
📁 1. appsettings.json
Best suited for general, non-sensitive configuration.
{
"ApiSettings": {
"BaseUrl": "https://api.mysite.com",
"Timeout": 30
}
}
`
Access with:
csharp
var timeout = configuration["ApiSettings:Timeout"];
Or using IOptions<T> for cleaner code:
csharp
public class ApiSettings
{
public string BaseUrl { get; set; }
public int Timeout { get; set; }
}
In Program.cs:
csharp
builder.Services.Configure<ApiSettings>(
builder.Configuration.GetSection("ApiSettings"));
Then inject:
`csharp
public class MyService
{
private readonly ApiSettings _apiSettings;
public MyService(IOptions<ApiSettings> options)
{
_apiSettings = options.Value;
}
public void CallApi()
{
var url = _apiSettings.BaseUrl;
var timeout = _apiSettings.Timeout;
// Use them
}
}
`
🧑💻 2. User Secrets (Development Only)
Ideal for local development without hardcoding credentials.
- Add a
UserSecretsIdto your.csproj:
xml
<PropertyGroup>
<UserSecretsId>your-app-guid</UserSecretsId>
</PropertyGroup>
- Set a secret:
bash
dotnet user-secrets set "ApiSettings:ApiKey" "super-secret"
Stored safely in OS-specific locations.
🌍 3. Environment Variables
Best for production and CI/CD pipelines.
bash
export ApiSettings__ApiKey="prod-secret-key"
.NET reads these automatically. The __ maps to nested keys.
☁️ 4. Azure Key Vault
Enterprise-grade storage with encryption and access controls.
Add the package:
bash
dotnet add package Azure.Extensions.AspNetCore.Configuration.Secrets
Then:
csharp
builder.Configuration.AddAzureKeyVault(
new Uri("https://myvault.vault.azure.net/"),
new DefaultAzureCredential()
);
Use Managed Identity for secure access.
🌐 5. Environment-Specific Config Files
.NET supports loading config per environment:
appsettings.jsonappsettings.Development.jsonappsettings.Production.json
Set the environment:
bash
export ASPNETCORE_ENVIRONMENT=Development
.NET merges them automatically.
📊 Configuration Precedence
From lowest to highest priority:
appsettings.jsonappsettings.{Env}.json- User Secrets
- Environment Variables
- Command-line arguments
- Hardcoded values
✅ Best Practices
- Use
IOptions<T>for maintainability - Never commit secrets
- Use environment variables or Key Vault for production
- Add
secrets.jsonto.gitignore - Leverage
ASPNETCORE_ENVIRONMENT - Consider Vaults or secret managers for scale
📚 References
🏁 Conclusion
| Scenario | Recommended Method |
|---|---|
| Local Dev | User Secrets |
| CI/CD or QA | Environment Variables |
| Production | Env Vars + Azure Key Vault |
| General config | AppSettings + IOptions |
Use the right tool in the right context to avoid leaks and ensure your app is robust and secure.
Top comments (0)