Nearly all the applications require sensitive information like database connection strings, username, passwords, API secret keys and many more. Storing them in clear plain text is a risky business, predominantly if your application deals with financial data or any other kind of sensitive information.
This kind of information is added in the web.config or app.config files of the .NET application. With the help of Azure Key Vault, we can securely pass credentials to the web.config file. Azure key vault is a very handy tool by Microsoft Azure. You can use it to avoid storing the secret strings in your code subsequently decreasing the chance of those keys being compromised.
Note: For this tutorial, I am assuming, you have your web application ready using .NET Framework 4.7.1 and later. Moreover, it is deployed on Azure.
In this tutorial, we will secure the credentials without changing the C# code.
Before beginning, just make sure you have the following:
- Azure subscription (if not, create your free account)
- Visual Studio
Create Key Vault Instance
Creating a key vault instance is a pretty easy process.
First, log in to your portal. You can see a screen as below, select Create a Resource.
Now in the search box type Key Vault and hit Enter. On the Key Vault section now choose Create.
On the Create key vault section provide the following information:
- Name: Provide a unique name for your key vault.
- Subscription: Choose your required subscription.
- Under Resource Group, select your previously created resource or choose to create a new one and enter a resource group name.
- In the Location pull-down menu, choose a location.
- Leave the other options to their defaults.
After providing all the required information, choose Review+Create
Now, once the key vault is created, you will need to define your secrets in the key vault so that you can access them through your codes.
Select Secrets from the left side of the navigation and click on Generate/Import.
On the Create a secret screen fill in the following values:
- Upload options: Manual.
- Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be the same name as the web.config file which we are replacing in the code. For instance, if you have DBConnectionString in your web.config file, then the secret will have the same name and same value in the key vault.
- Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
- Leave the other values to their defaults. Click Create.
Grant permission to your Web application to access the secrets in the Azure Key vault
Now, before actually writing the code, your application must be authenticated against the key vault. This will allow your web application to have its own identity in Azure Active Directory and this way it will be able to authenticate itself with that identity to access the key vault. The advantage of this method is that to connect to the key vault you will only have to pass the name of your key vault instance in your code. This way, there will be no sensitive data in code, since you will not need any credentials to connect to the key vault as well.
Now to set up the access of your application to the key vault, go to your Azure portal, and open the key vault instance created in the previous step.
Now, select the Access Policies blade from the left side navigation menu. Then choose + Add access policies to navigate to the following screen.
On Add Access Policy screen fill in the following details:
- Configure from template: Select Secret Management.
- Key Permissions: Select Get and List permissions.
- Secret Permissions: Select Get and List permissions.
- Certificate Permissions: Select Get and List permissions.
- Select Principal: Click on the None Selected. A new window pops up on the right side of the screen. Search for your application and Select it.
- Leave the Authorized application blank.
Once all the details are filled click Add. Your application will be added to the key vault and save all the changes made.
Integrate Key Vault in Code
Now to integrate the key vault into your code let’s move to Visual Studio. Make sure, you are logged into your Visual Studio with the same account as your Azure subscription used for the key vault.
Now if you are using the right version of the project your project can automatically detect to configure the key vault. Otherwise, just follow the below steps:
- In the Solution Explorer, right-click on your project to add the Key Vault support, and select Add > Connected Service > Add. The Connected Service page appears with services you can add to your project. If your project has detected the key vault then select Configure, and skip the next step.
- In the menu of available services, choose Azure Key Vault and click Next.
- Select the subscription you want to use, and then choose an existing Key Vault and click Finish.
Once the key vault is configured, just make sure that a few of the packages are installed. To check that, in the Solution Explorer, right-click on your project, and select Manage Nuget Packages. In the browse tab search for the following packages. If they are not installed, then install them.
Open your web.config file and write the following code.
Version=184.108.40.206, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” restartOnExternalChanges=”false”
type=”System.Data.Entity.Internal. ConfigFile.EntityFrameworkSection, EntityFramework,
Version=220.127.116.11, Culture=neutral, PublicKeyToken=b77a5c561934e089″
type=”Microsoft.Configuration.ConfigurationBuilders.EnvironmentConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Environment, Version=18.104.22.168,
You will also have to modify your appSettings tag. Find the appSettings tag, add an attribute configBuilders=” AzureKeyVault”, and add a line:
<add key=”<secretNameInYourKeyVault>” value=”******”/>
Now, you are good to go. Run your code and debug it. Once everything is running smoothly, publish the code on Azure.