DEV Community

Cover image for Using dotnet secrets
Gustav Ehrenborg
Gustav Ehrenborg

Posted on • Updated on

Using dotnet secrets

Instead of putting secret environment variables in the appsetting.json file, the dotnet CLI has functionality to add secrets to a project, without keeping them in the project folder.

This will decrease the risk of leaking the secrets, for example by adding them to a commit by mistake.

This link leads to Microsoft's own documentation.

The cheatsheet

dotnet user-secrets --help # See available commands

dotnet user-secrets init # Initiate secrets

dotnet user-secrets set "MY_API_KEY" "xyz" # Set a secret

dotnet user-secrets set "SOME_API.MY_API_KEY" "xyz" # Set a nested secret

cat secrets.json | dotnet user-secrets set # Set all secrets in a json file

dotnet user-secrets list # List the secrets

dotnet user-secrets clear # Delete all secrets in the project
Enter fullscreen mode Exit fullscreen mode

The walkthrough

Initiating

The dotnet user-secrets init command enables storage of secrets. It adds a line with a GUID in the .csproj file. This GUID is used to identify which secrets belong to which project. The command only needs to be run once for every project, if you are sharing your code with other people, they don't need to rerun it.

<UserSecretsId>71ad533a-ed09-4780-9037-a5aafb01958b</UserSecretsId>
Enter fullscreen mode Exit fullscreen mode

The command also creates a folder in ~/.microsoft/usersecrets (on a Mac), with a file contaning the secrets in json format.

~/.microsoft/usersecrets
|
└───71ad533a-ed09-4780-9037-a5aafb01958b
│   └──secrets.json
|
└───<some-other-GUID>
    └──secrets.json

Enter fullscreen mode Exit fullscreen mode

The secrets are saved in plain text in this json file.

Setting secrets

dotnet user-secrets set "MY_API_KEY" "xyz"
dotnet user-secrets set "SOME_API.MY_API_KEY" "xyz"
Enter fullscreen mode Exit fullscreen mode

The commands above are self explanatory and the resulting secrets.json file will look like this:

{
  "MY_API_KEY": "xyz",
  "SOME_API.MY_API_KEY": "xyz"
}
Enter fullscreen mode Exit fullscreen mode

If you are given secrets in the same format as above, these can be imported all at once with the command:

$ cat secrets.json | dotnet user-secrets set
Successfully saved 2 secrets to the secret store.
Enter fullscreen mode Exit fullscreen mode

Top comments (3)

Collapse
 
aminmansuri profile image
hidden_dude

So how is this different from just creating a plaintext file and putting it inside some specialized folder?

What makes it more secure?

Collapse
 
gutsav profile image
Gustav Ehrenborg

Since the secrets are not in the project directory anymore, it's more difficult to accidently share them. Zipping the project will, for example, no longer contain the secrets. Accidently adding them to a commit will be very difficult as well.

However, the secrets are still in plain text, but it's a standard way of "putting it inside some specialized folder" :)

Collapse
 
aminmansuri profile image
hidden_dude

I'm wondering if there's a way to store it in the TMP 2.0 module