Best practices for storing sensitive information in source code

Question

I'm curious if there are any recommendations for storing some sensitive information in source code. To make myself clear from the beginning, i'm not talking about user passwords, credit card numbers, and so on; i'm talking about API access keys, client secrets and other such data that are not directly related to the users of the application but rather to the application authenticating itself to various components or third-party services (think also of the database connection string in web.config files).

What i'm looking for is a way to hide, if possible, plaintext occurrences of this sensitive information (which are most often character strings) preferably both in the source files (avoid somehow hardcoding them) and in the output binaries. For binaries i know there's the "solution" of obfuscation; for sources however, i can't think of a straightforward one. Ideally, the solution should be as source-control-friendly as possible, allowing authorized developers to simply checkout the code and build it without additional steps.

If you have any suggestions regarding this, i'd be more than willing to hear them.

Answer 1

The solution I eventually chose was to move all the sensitive strings inside a web.config file (or app.config), then encrypt the sensitive sections of it. I then let the operating system and the ASP.NET runtime to handle encryption/decryption. Not perfect (after all you do need to have the original app/web.config file holding the plaintext data - but at least it doesn't have to be on the production machine), but quite convenient.

Answer 2

You can Encrypt your keys & store in xml.

Application can decrypt it & use it.

Refer:

Encrypt/Decrypt string in .NET

Also, you can use Encoding which is at least better than having plain text.

Refer:

Encode and Decode