Home > Back-end >  What is the .env file equivalent for handling secrets in C#?
What is the .env file equivalent for handling secrets in C#?

Time:10-13

I use .env files in my node.js code to handles secrets in my dev environment configuration. I add .env to my project's .gitignore, to prevent secrets be committed to the git repository.

I found node.js's .env approach quite simple and productive.

What the equivalent of .env files in C#?

With this question I am not looking for a library to do the same in C# like (https://github.com/tonerdo/dotnet-env)

I like to know the c# way of handling the same thing with an emphasis on not committing secrets in config files to git repositories.

This is not an Azure question, so Azure Key Vault Azure App Services are out of scope here.

CodePudding user response:

If you are taking about .Net applications, then you could use User secrets in your local. This will not be checked in as the file is not part of the solution and no need to even keep it in gitignore

Usage : In Visual Studio, right-click the project in Solution Explorer, and select Manage User Secrets from the context menu.

Refer https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-6.0&tabs=windows for more details

CodePudding user response:

I'll give you what I consider a solid answer, but at the same time acknowledging that there are other options.

What dotenv does is basically create environment variables for the NodeJS process. Then those are accessed through process.env. That's all.

If you want the equivalent in C#, that's already available out of the .Net Configuration box.

Speaking in terms of ASP.net, it comes with pre-defined configuration sources. One of them is the non-prefixed environment variables source. This one picks up data from environment variables that follow a standardized name convention.

Say you have appsettings.json like this:

{
    "SecretSection": {
        "Username": "myUsername",
        "Password": "CatOnKeyboard"
    }

If you were to have that JSON config file, you probably have a class declared in C# (named, say, MySecretSection) with the properties Username and Password that you configure in your services like this:

var cfgSection = builder.Configuration.GetSection("SecretSection");
builder.Services.Configure<MySecretSection>(cfgSection);

This would allow you to obtain access to the section's data using the Options pattern:

public class SomeService
{
    public SomeService(IOptions<MySecretSection> secretOptions)
    {
        // Now you can use the username and password:
        var opts = secretOptions.Value;
        System.Diagnostics.Debug.Print($"{opts.Username} : {opts.Password}");
    }
}

Ok, but the secret data definitely should not be there, in appsettings.json, exposed to the public.

If you want, you can do what dotenv does and simply create environment variables for each of the secrets.

  1. SECRETSECTION__USERNAME with a value of myUsername.
  2. SECRETSECTION__PASSWORD with a value of CatOnKeyboard.

And that's it. Asp.Net will automatically pick up those environment variables that, according to the naming convention, represent the hierarchical key SecretSection:Username and SecretSection:Password.

  •  Tags:  
  • c#
  • Related