Secure storing sensitive config data such as connection string

Question

What are best ways to store and use sensitive config information such as a connection string. I have used to store those in either app.config, web.config, and now in config.json as a plain text. This is not secure, especially when checking those files into publicly available source control. What are the most secure ways to store that type of data, and utilize within an app?

Answer 1

After few things I have tried, the best solution I found is to use Environment Variables on Windows system. Not sure how that will work once I will deploy to the Azure, but for now it is working as expected. In my ASP.NET Core in the Startup.cs I add AddEnvironmentVariables:

    public Startup(IHostingEnvironment appEnv)
    {
        var builder = new ConfigurationBuilder()
            .SetBasePath(appEnv.ContentRootPath)
            .AddJsonFile("config.json")
            .AddEnvironmentVariables();


        Configuration = builder.Build();
    }

Here is the connection string:

To consume it:

string connStr= Startup.Configuration["Data:WorldContextConnection"];

In that case I can check every single file into GitHub, the only thing is that I would need to always add those Environmental Variables into a system I will be working on.

Answer 2

especially when checking those files into publicly available source control.

Don't do that.

That's exactly the point of putting your secret settings inside a config file, because you don't want to share them with the world. It's totally fine to have them in files on the machine - one would expect that people using your software have secured their machine to a certain point.

If you can't trust your users, then you need to store the config on your machine, and give your users an access token (say a username and password, or OAuth token) that they can use to talk to you, and then you keep the configs safe and secret.