Correct way to securely store Azure blob storage access key in C# app

Question

I am building a c# app (WPF) which uploads log files to an azure blob storage. I store the StorageConnectionString inside the App.config file like this:

<appSettings>
    <add key="StorageConnectionString" value="DefaultEndpointsProtocol=https;AccountName=<my account name>;AccountKey=<my account key>;EndpointSuffix=core.windows.net" />
</appSettings>

In my code I retrieve the StorageConnectionString like this:

string connectionString = ConfigurationManager.AppSettings.Get("StorageConnectionString");

Everything works fine so far, but I am worried about the clearly visible StorageConnectionString inside the App.config file.

How can I secure my app that its not possible with reverse engineering to get the StorageConnectionString?

Answer 1

Your application should not be using Shared Keys. Storage account keys grant full access to your storage account. A better approach is to use Shared Access Signatures in your application with Azure AD.

A full overview can be found here:

https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

While Microsoft recommends using Azure AD with SAS to authorize requests to Azure Storage. If you must use Shared Key authorization, then secure your account keys with Azure Key Vault. You can retrieve the keys from the key vault at runtime, instead of saving them with your application. For more information about Azure Key Vault, see Azure Key Vault overview.

All our security recommendations can be found here:

https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations

Answer 2

To securely store your Storage Account access key in C# application, you can use either of the below options:

1. Store the Storage Account Key as an environment variable
2. Use Azure AD Authentication for your blob storage instead of access key