How To Securely Pass Credentials In ASP.NET Applications

  • Post category:General
  • Post author:

Nearly all the applications require sensitive information like database connection strings, username, passwords, API secret keys and many more. Storing them in clear plain text is a risky business, predominantly if your application deals with financial data or any other kind of sensitive information.

This kind of information is added in the web.config or app.config files of the .NET application. With the help of Azure Key Vault, we can securely pass credentials to the web.config file. Azure key vault is a very handy tool by Microsoft Azure. You can use it to avoid storing the secret strings in your code subsequently decreasing the chance of those keys being compromised.

Note: For this tutorial, I am assuming, you have your web application ready using .NET Framework 4.7.1 and later. Moreover, it is deployed on Azure. 

In this tutorial, we will secure the credentials without changing the C# code.

Requirements

Before beginning, just make sure you have the following:

  • Azure subscription (if not, create your free account)
  • Visual Studio

Create Key Vault Instance

First, log in to your portal. You can see a screen as below, select Create a Resource.

Now in the search box type Key Vault and hit Enter. On the Key Vault section now choose Create.

On the Create key vault section provide the following information:

  1. Name: Provide a unique name for your key vault.
  2. Subscription: Choose your required subscription.
  3. Under Resource Group, select your previously created resource or choose to create a new one and enter a resource group name.
  4. In the Location pull-down menu, choose a location.
  5. Leave the other options to their defaults.

After providing all the required information, choose Review + Create.

Create Secrets

Now, once the key vault is created, you will need to define your secrets in the key vault so that you can access them through your codes.

Select Secrets from the left side of the navigation and click on Generate/Import.

On the Create a secret screen fill in the following values:

  1. Upload options: Manual.
  2. Name: Type a name for the secret. The secret name must be unique within a Key Vault. The name must be the same name as the web.config file which we are replacing in the code. For instance, if you have DBConnectionString in your web.config file, then the secret will have the same name and same value in the key vault.
  3. Value: Type a value for the secret. Key Vault APIs accept and return secret values as strings.
  4. Leave the other values to their defaults. Click Create.

Grant permission to your Web application to access the secrets in the Azure Key vault

Now, before actually writing the code, your application must be authenticated against the key vault. This will allow your web application to have its own identity in Azure Active Directory and this way it will be able to authenticate itself with that identity to access the key vault. The advantage of this method is that to connect to the key vault you will only have to pass the name of your key vault instance in your code. This way, there will be no sensitive data in code, since you will not need any credentials to connect to the key vault as well. 

Now to set up the access of your application to the key vault, go to your Azure portal, and open the key vault instance created in the previous step.

Now, select the Access Policies blade from the left side navigation menu. Then choose + Add access policies to navigate to the following screen.

On Add Access Policy screen fill in the following details:

  1. Configure from template: Select Secret Management.
  2. Key Permissions: Select Get and List permissions.
  3. Secret Permissions: Select Get and List permissions.
  4. Certificate Permissions: Select Get and List permissions.
  5. Select Principal: Click on the None Selected. A new window pops up on the right side of the screen. Search for your application and Select it.
  6. Leave the Authorized application blank.

Once all the details are filled click Add. Your application will be added to the key vault and save all the changes made.

Integrate Key Vault in Code:

Now to integrate the key vault into your code let’s move to Visual Studio. Make sure, you are logged into your Visual Studio with the same account as your Azure subscription used for the key vault.

Now if you are using the right version of the project your project can automatically detect to configure the key vault. Otherwise, just follow the below steps:

  1. In the Solution Explorer, right-click on your project to add the Key Vault support, and select Add > Connected Service > Add. The Connected Service page appears with services you can add to your project. If your project has detected the key vault then select Configure, and skip the next step.
  2. In the menu of available services, choose Azure Key Vault and click Next.
  3. Select the subscription you want to use, and then choose an existing Key Vault and click Finish.

Once the key vault is configured, just make sure that a few of the packages are installed. To check that, in the Solution Explorer, right-click on your project, and select Manage Nuget Packages. In the browse tab search for the following packages. If they are not installed, then install them.

  • Azure.Identity
  • Azure.Security.KeyVault.Secrets
  • Microsoft.Extensions.Configuration.AzureKeyVault
  • Microsoft.Configuration.ConfigurationBuilders.Azure

Open your web.config file and write the following code.

<configSections>
<section
name=”configBuilders
type=”System.Configuration.ConfigurationBuildersSection, System.Configuration,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a” restartOnExternalChanges=”false”
requirePermission=”false” />
<section
name=”entityFramework”
type=”System.Data.Entity.Internal. ConfigFile.EntityFrameworkSection, EntityFramework,
Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″
requirePermission=”false” />

</configSections>

<configBuilders>

<builders>

<add
name=”Environment”
type=”Microsoft.Configuration.ConfigurationBuilders.EnvironmentConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Environment, Version=2.0.0.0,
Culture=neutral” />

<add
name=”AzureKeyVault”
vaultName=”{YOUR_VAULT_NAME}”
type=”Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder,
Microsoft.Configuration.ConfigurationBuilders.Azure, Version=2.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35″
vaultUri=”https://{YOUR_VAULT_NAME}.vault.azure.net” />

</builders>
</configBuilders>

You will also have to modify your appSettings tag. Find the appSettings tag, add an attribute configBuilders=” AzureKeyVault”, and add a line:

<add key=”<secretNameInYourKeyVault>” value=”******”/>

Now, you are good to go. Run your code and debug it. Once everything is running smoothly, publish the code on Azure.

Pragya Verma
Data Analyst
Addend Analyst

Addend Analytics is a Microsoft Power BI-partner based in Mumbai, India. Apart from being authorized for Power BI implementations, Addend has successfully executed Power BI projects for 100+ clients across sectors like Financial Services, Banking, Insurance, Retail, Sales, Manufacturing, Real estate, Logistics, and Healthcare in countries like the US, Europe, Switzerland, and Australia. Get a free consultation now by emailing us at kamal.sharma@addendanalytics.com or Contact us.