where i am storing an smtp password + when i publish the application to a shared host provider, i will add an sql server username and password inside the appsettings.json's connection string.
so my question is how i can encrypt sections inside my `appsettings.json` hosted inside a remote shared hosting provider inside IIS? i am fine with keeping the password inside visual studio project, but i want to encrypt the hosted appsettings.json? is this
possible?
You don't need to encrypt passowrds in appsettings.json. However, the risk of having open passwords there is more about the risk of leaving it exposed if you accidentally commits it to things like Github or leving it open on your computer. This is especially
important if other people have access to your code.
You can use a secret manager (tool) to avvoid this (or always removing the passwords before you commit).
If your server where the app is running is properly secured, no one can see your passwords anyway. At some point the passwords must be decrypted and exposed. the last option would be to store it in a database, where it will be encrypted, but that is not
always practical.
Secure your server. that is most important. for linux, use best practices like fail2ban, key based logins over ssh. for database connections you should only allow connections from your server's ip (and possibly your development machine). But the level of
security also depends on what kind of sensitive data you have.
You don't need to encrypt passowrds in appsettings.json. However, the risk of having open passwords there is more about the risk of leaving it exposed if you accidentally commits it to things like Github or leving it open on your computer. This is especially
important if other people have access to your code.
You can use a secret manager (tool) to avvoid this (or always removing the passwords before you commit).
If your server where the app is running is properly secured, no one can see your passwords anyway. At some point the passwords must be decrypted and exposed. the last option would be to store it in a database, where it will be encrypted, but that is not
always practical.
Secure your server. that is most important. for linux, use best practices like fail2ban, key based logins over ssh. for database connections you should only allow connections from your server's ip (and possibly your development machine). But the level of
security also depends on what kind of sensitive data you have.
Thanks for the details reply and detailed info, but as a second layer of security is there a way to encrypt sections of the appsettings.json, as we used to do in the web.config? where we encrypt part of the web,config (which contain sensitive info) by running
"ASPNET_REGIIS -pef ....." command?
There is no good reason to encrypt appsetting.json sections but there is nothing stopping you either. It's fairly straight forward to encrypt and decrypt strings in C#. for the most part you can use sample code found in the reference documentation,
Thanks. Perhaps I should have clarified that I've previously read all of this and this tells me that no, there isn't a simple solution to this requirement. To be sure, the authors are indicating the use of environment variables if I don't have access to
cloud based security tools, which I don't. Only a mad person uses environment variables (is it 1980 or 2020?), so at some point, when I have a spare few days, I'll try to work out how to do it using a FileConfiguration provider and if it's simple enough I'll
post it.
For now, it has occurred to me that there is a very simple solution to this. As you say, it's easy enough to work the encryption tools, so I'll just create a little app that takes the sensitive string, with the keys and churns out the encrypted string.
I can then copy and paste the string into the config file and use a simple helper class to decrypt as necessary.
Thanks. Perhaps I should have clarified that I've previously read all of this and this tells me that no, there isn't a simple solution to this requirement. To be sure, the authors are indicating the use of environment variables if I don't have access to
cloud based security tools, which I don't. Only a mad person uses environment variables (is it 1980 or 2020?), so at some point, when I have a spare few days, I'll try to work out how to do it using a FileConfiguration provider and if it's simple enough I'll
post it.
You misunderstand the problem ASP.NET configuration solves. You can encrypt any string you like. The problem is where to store the key. Anyone with the key can decrypt the data. Typically, this type of information ends up in source control and anyone
with access to source control has the key. Where to store the key is the problem ASP.NET Core solves.
I must be mad but I take full advantage of environment variables. Here's why. Let's say I have typical configuration.
This information can be stored in "User Secrets" on the development machines. The production server configuration
is stored in environment variables. Only the folks that have access to the production machine can see the configuration. ASP.NET configuration reads the environment variables if does not find configuration in the aspsettings.json file.
PJM8765
For now, it has occurred to me that there is a very simple solution to this. As you say, it's easy enough to work the encryption tools, so I'll just create a little app that takes the sensitive string, with the keys and churns out the encrypted string. I
can then copy and paste the string into the config file and use a simple helper class to decrypt as necessary.
If you are unable to take advantage of the configuration features in ASP.NET Core and still want encryption, I recommend building a service. It's pretty easy to do. I built the following for someone else on the forum that had the same question. I just
copied the code from the links a above.
public interface IAesCryptoUtil
{
string Decrypt(string base64String);
string Encrypt(string text);
}
public class AesCryptoUtil : IAesCryptoUtil
{
private byte[] Key;
private byte[] IV;
public AesCryptoUtil()
{
Key = new byte[] {
0x2F, 0xFA, 0x72, 0x68, 0x7, 0x3C, 0xF6, 0xCC, 0x18, 0x8E, 0x20, 0xD7, 0x7E, 0x71, 0x20, 0x7E, 0x65, 0x98, 0xDB, 0xCE, 0xDF, 0x8, 0xE5, 0x57, 0x95, 0xB0, 0xDB, 0xC1, 0x83, 0x41, 0x15, 0x6A
};
IV = new byte[] { 0x96, 0xA0, 0x20, 0xA5, 0xD6, 0x43, 0xC8, 0x9D, 0xB1, 0x7E, 0x8D, 0xCE, 0xA1, 0x9F, 0x35, 0xFD };
}
public string Encrypt(string text)
{
byte[] buff = EncryptStringToBytes_Aes(text);
return Convert.ToBase64String(buff);
}
public string Decrypt(string base64String)
{
byte[] buff = Convert.FromBase64String(base64String);
return DecryptStringFromBytes_Aes(buff);
}
private byte[] EncryptStringToBytes_Aes(string plainText)
{
// Check arguments.
if (plainText == null || plainText.Length <= 0)
throw new ArgumentNullException("plainText");
if (Key == null || Key.Length <= 0)
throw new ArgumentNullException("Key");
if (IV == null || IV.Length <= 0)
throw new ArgumentNullException("IV");
byte[] encrypted;
// Create an Aes object
// with the specified key and IV.
using (Aes aesAlg = Aes.Create())
{
aesAlg.Key = Key;
aesAlg.IV = IV;
// Create an encryptor to perform the stream transform.
ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV);
// Create the streams used for encryption.
using (MemoryStream msEncrypt = new MemoryStream())
{
using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write))
{
using (StreamWriter swEncrypt = new StreamWriter(csEncrypt))
{
//Write all data to the stream.
swEncrypt.Write(plainText);
}
encrypted = msEncrypt.ToArray();
}
}
}
// Return the encrypted bytes from the memory stream.
return encrypted;
}
private string DecryptStringFromBytes_Aes(byte[] cipherText)
{
// Check arguments.
if (cipherText == null || cipherText.Length <= 0)
throw new ArgumentNullException("cipherText");
if (Key == null || Key.Length <= 0)
throw new ArgumentNullException("Key");
if (IV == null || IV.Length <= 0)
throw new ArgumentNullException("IV");
// Declare the string used to hold
// the decrypted text.
string plaintext = null;
// Create an Aes object
// with the specified key and IV.
using (Aes aesAlg = Aes.Create())
{
aesAlg.Key = Key;
aesAlg.IV = IV;
// Create a decryptor to perform the stream transform.
ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
// Create the streams used for decryption.
using (MemoryStream msDecrypt = new MemoryStream(cipherText))
{
using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
{
using (StreamReader srDecrypt = new StreamReader(csDecrypt))
{
// Read the decrypted bytes from the decrypting stream
// and place them in a string.
plaintext = srDecrypt.ReadToEnd();
}
}
}
}
return plaintext;
}
}
I was reading this and was going to implment it but how does one inject the ecrypted password to connection string also in asp.net core .net 5 what is the best way to encrypt in production
I was reading this and was going to implment it but how does one inject the ecrypted password to connection string also in asp.net core .net 5 what is the best way to encrypt in production
Everything needed for encryption is in the code sample. The encryption service and registration. The controllers show how to inject the excryption service and configuration. Did you try the code?
I was reading this and was going to implment it but how does one inject the ecrypted password to connection string also in asp.net core .net 5 what is the best way to encrypt in production
Everything needed for encryption is in the code sample. The encryption service and registration. The controllers show how to inject the excryption service and configuration. Did you try the code?
Its show how to get into the view bag but not how to get the value into the connection string
Its show how to get into the view bag but not how to get the value into the connection string
ViewBag.Password
You misunderstand the fundamentals. The configuration object is injected into the controller. All you have to do is get the configuration name (you named it!!!!) as illustrated in the official documentation or by reading the example code.
where i am storing an smtp password + when i publish the application to a shared host provider, i will add an sql server username and password inside the appsettings.json's connection string.
Seems like you're not on AWS or Azure, otherwise I'd recommend using their corresponding secret management solutions.
There's been plenty of responses in this thread strongly advising against storing passwords in the configuration. There's a number of issues with that approach, but two major ones are:
even if the password in config encrypted, your application will need to contain the decryption key and the algorithm, so it's only a matter of time before someone with access to source code OR binaries will reverse engineer it
when you change the password, you'll have to change the config and re-deploy the app
By using a secret management service, you avoid these both issues. In case you may consider that approach, I could suggest these tow articles that I written to cover use of secrets managers with ASP.NET Core specifically:
Thanks for the details reply and detailed info, but as a second layer of security is there a way to encrypt sections of the appsettings.json, as we used to do in the web.config? where we encrypt part of the web,config (which contain sensitive info) by running
"ASPNET_REGIIS -pef ....." command?
you can if hosting with IIS. use environment variables in the asp.net core app, and set them in the hosting web.config
Member
488 Points
2558 Posts
Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jun 24, 2020 04:03 PM|johnjohn123123|LINK
I have the following `appsettings.json` inside my asp.net core MVC web application:-
{ "ConnectionStrings": { "DefaultConnection": "Server=(localdb)\\ProjectsV13;Database=LandingPage;Trusted_Connection=True;" }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "AllowedHosts": "*", "SMTP": { "pass": "************" } }where i am storing an smtp password + when i publish the application to a shared host provider, i will add an sql server username and password inside the appsettings.json's connection string.
so my question is how i can encrypt sections inside my `appsettings.json` hosted inside a remote shared hosting provider inside IIS? i am fine with keeping the password inside visual studio project, but i want to encrypt the hosted appsettings.json? is this possible?
Thanks
All-Star
58174 Points
15647 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jun 24, 2020 05:48 PM|bruce (sqlwork.com)|LINK
see the docs:
https://docs.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-3.1&tabs=windows
another approach is if the hosting provider supplies secure environment variables.
Member
488 Points
2558 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jun 24, 2020 06:27 PM|johnjohn123123|LINK
thanks for the link, but it did not mention how we can encrypt sections of the appsettings.json
Member
168 Points
201 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jun 25, 2020 09:28 AM|bluMarmalade|LINK
You don't need to encrypt passowrds in appsettings.json. However, the risk of having open passwords there is more about the risk of leaving it exposed if you accidentally commits it to things like Github or leving it open on your computer. This is especially important if other people have access to your code.
You can use a secret manager (tool) to avvoid this (or always removing the passwords before you commit).
If your server where the app is running is properly secured, no one can see your passwords anyway. At some point the passwords must be decrypted and exposed. the last option would be to store it in a database, where it will be encrypted, but that is not always practical.
Secure your server. that is most important. for linux, use best practices like fail2ban, key based logins over ssh. for database connections you should only allow connections from your server's ip (and possibly your development machine). But the level of security also depends on what kind of sensitive data you have.
Member
488 Points
2558 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jun 25, 2020 10:03 AM|johnjohn123123|LINK
Thanks for the details reply and detailed info, but as a second layer of security is there a way to encrypt sections of the appsettings.json, as we used to do in the web.config? where we encrypt part of the web,config (which contain sensitive info) by running "ASPNET_REGIIS -pef ....." command?
Member
7 Points
42 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Aug 31, 2020 02:56 PM|PJM8765|LINK
Hi johnjohn,
Did you ever find a way to do this? If so, would you mind sharing it, or pointing in the direction you went.
I've found various suggestions at https://stackoverflow.com/questions/36062670/encrypted-configuration-in-asp-net-core but none of them seem to do what you (and I) are after.
Kind regards, Paul
All-Star
53021 Points
23604 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Aug 31, 2020 04:37 PM|mgebhard|LINK
ASP.NET Core comes with everything needed to secure configuration. This is a all covered in the official docs.
https://docs.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?view=aspnetcore-3.1
There is no good reason to encrypt appsetting.json sections but there is nothing stopping you either. It's fairly straight forward to encrypt and decrypt strings in C#. for the most part you can use sample code found in the reference documentation,
https://docs.microsoft.com/en-us/dotnet/standard/security/encrypting-data.
Member
7 Points
42 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Sep 01, 2020 11:15 AM|PJM8765|LINK
Thanks. Perhaps I should have clarified that I've previously read all of this and this tells me that no, there isn't a simple solution to this requirement. To be sure, the authors are indicating the use of environment variables if I don't have access to cloud based security tools, which I don't. Only a mad person uses environment variables (is it 1980 or 2020?), so at some point, when I have a spare few days, I'll try to work out how to do it using a FileConfiguration provider and if it's simple enough I'll post it.
For now, it has occurred to me that there is a very simple solution to this. As you say, it's easy enough to work the encryption tools, so I'll just create a little app that takes the sensitive string, with the keys and churns out the encrypted string. I can then copy and paste the string into the config file and use a simple helper class to decrypt as necessary.
Kind regards, Paul
All-Star
53021 Points
23604 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Sep 01, 2020 04:48 PM|mgebhard|LINK
You misunderstand the problem ASP.NET configuration solves. You can encrypt any string you like. The problem is where to store the key. Anyone with the key can decrypt the data. Typically, this type of information ends up in source control and anyone with access to source control has the key. Where to store the key is the problem ASP.NET Core solves.
I must be mad but I take full advantage of environment variables. Here's why. Let's say I have typical configuration.
{ "ConnectionStrings": { "DefaultConnectionString": "Server=MyServer;Database=MyDatabase;Trusted_Connection=True;MultipleActiveResultSets=true", }, "mySuperSecret": "Dev secret" }This information can be stored in "User Secrets" on the development machines. The production server configuration is stored in environment variables. Only the folks that have access to the production machine can see the configuration. ASP.NET configuration reads the environment variables if does not find configuration in the aspsettings.json file.
If you are unable to take advantage of the configuration features in ASP.NET Core and still want encryption, I recommend building a service. It's pretty easy to do. I built the following for someone else on the forum that had the same question. I just copied the code from the links a above.
public interface IAesCryptoUtil { string Decrypt(string base64String); string Encrypt(string text); } public class AesCryptoUtil : IAesCryptoUtil { private byte[] Key; private byte[] IV; public AesCryptoUtil() { Key = new byte[] { 0x2F, 0xFA, 0x72, 0x68, 0x7, 0x3C, 0xF6, 0xCC, 0x18, 0x8E, 0x20, 0xD7, 0x7E, 0x71, 0x20, 0x7E, 0x65, 0x98, 0xDB, 0xCE, 0xDF, 0x8, 0xE5, 0x57, 0x95, 0xB0, 0xDB, 0xC1, 0x83, 0x41, 0x15, 0x6A }; IV = new byte[] { 0x96, 0xA0, 0x20, 0xA5, 0xD6, 0x43, 0xC8, 0x9D, 0xB1, 0x7E, 0x8D, 0xCE, 0xA1, 0x9F, 0x35, 0xFD }; } public string Encrypt(string text) { byte[] buff = EncryptStringToBytes_Aes(text); return Convert.ToBase64String(buff); } public string Decrypt(string base64String) { byte[] buff = Convert.FromBase64String(base64String); return DecryptStringFromBytes_Aes(buff); } private byte[] EncryptStringToBytes_Aes(string plainText) { // Check arguments. if (plainText == null || plainText.Length <= 0) throw new ArgumentNullException("plainText"); if (Key == null || Key.Length <= 0) throw new ArgumentNullException("Key"); if (IV == null || IV.Length <= 0) throw new ArgumentNullException("IV"); byte[] encrypted; // Create an Aes object // with the specified key and IV. using (Aes aesAlg = Aes.Create()) { aesAlg.Key = Key; aesAlg.IV = IV; // Create an encryptor to perform the stream transform. ICryptoTransform encryptor = aesAlg.CreateEncryptor(aesAlg.Key, aesAlg.IV); // Create the streams used for encryption. using (MemoryStream msEncrypt = new MemoryStream()) { using (CryptoStream csEncrypt = new CryptoStream(msEncrypt, encryptor, CryptoStreamMode.Write)) { using (StreamWriter swEncrypt = new StreamWriter(csEncrypt)) { //Write all data to the stream. swEncrypt.Write(plainText); } encrypted = msEncrypt.ToArray(); } } } // Return the encrypted bytes from the memory stream. return encrypted; } private string DecryptStringFromBytes_Aes(byte[] cipherText) { // Check arguments. if (cipherText == null || cipherText.Length <= 0) throw new ArgumentNullException("cipherText"); if (Key == null || Key.Length <= 0) throw new ArgumentNullException("Key"); if (IV == null || IV.Length <= 0) throw new ArgumentNullException("IV"); // Declare the string used to hold // the decrypted text. string plaintext = null; // Create an Aes object // with the specified key and IV. using (Aes aesAlg = Aes.Create()) { aesAlg.Key = Key; aesAlg.IV = IV; // Create a decryptor to perform the stream transform. ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV); // Create the streams used for decryption. using (MemoryStream msDecrypt = new MemoryStream(cipherText)) { using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) { using (StreamReader srDecrypt = new StreamReader(csDecrypt)) { // Read the decrypted bytes from the decrypting stream // and place them in a string. plaintext = srDecrypt.ReadToEnd(); } } } } return plaintext; } }Register the service
Implementation
public class HomeController : Controller { private readonly ILogger<HomeController> _logger; private readonly IAesCryptoUtil _aesCryptoUtil; private readonly IConfiguration _configuration; public HomeController( ILogger<HomeController> logger, IAesCryptoUtil aesCryptoUtil, IConfiguration configuration) { _logger = logger; _aesCryptoUtil = aesCryptoUtil; _configuration = configuration; } [HttpGet] public ActionResult Index() { ViewBag.Password = Decrypt(_configuration.GetSection("password").Value); return View(); } [HttpGet] public string Encrypt(string value) { _logger.LogInformation("Encrypt"); return _aesCryptoUtil.Encrypt(value); } [HttpGet] public string Decrypt(string value) { return _aesCryptoUtil.Decrypt(value); } }appsetting.json
{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "AllowedHosts": "*", "password": "VCEzsHhZrb8jD/yyDIvzWw==" }Member
16 Points
131 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jan 07, 2021 08:45 AM|roguenidb|LINK
I was reading this and was going to implment it but how does one inject the ecrypted password to connection string also in asp.net core .net 5 what is the best way to encrypt in production
All-Star
53021 Points
23604 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jan 07, 2021 12:32 PM|mgebhard|LINK
Everything needed for encryption is in the code sample. The encryption service and registration. The controllers show how to inject the excryption service and configuration. Did you try the code?
Member
16 Points
131 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jan 07, 2021 02:16 PM|roguenidb|LINK
Its show how to get into the view bag but not how to get the value into the connection string
All-Star
53021 Points
23604 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jan 07, 2021 05:43 PM|mgebhard|LINK
You misunderstand the fundamentals. The configuration object is injected into the controller. All you have to do is get the configuration name (you named it!!!!) as illustrated in the official documentation or by reading the example code.
public class HomeController : Controller { private readonly ILogger<HomeController> _logger; private readonly IAesCryptoUtil _aesCryptoUtil; private readonly IConfiguration _configuration; public HomeController( ILogger<HomeController> logger, IAesCryptoUtil aesCryptoUtil, IConfiguration configuration) { _logger = logger; _aesCryptoUtil = aesCryptoUtil; _configuration = configuration; } [HttpGet] public ActionResult Index() { ViewBag.Password = Decrypt(_configuration.GetSection("password").Value); return View(); }{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "AllowedHosts": "*", "password": "VCEzsHhZrb8jD/yyDIvzWw==" }If you want password to to read connectionstring then change the name to connecitonstring
The other Actions allow you to test encrypting and decrypting data. It is up to you to encrypt the connection string and update the appsettings.json.
Member
100 Points
31 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jan 08, 2021 11:35 PM|artem_s|LINK
Seems like you're not on AWS or Azure, otherwise I'd recommend using their corresponding secret management solutions.
There's been plenty of responses in this thread strongly advising against storing passwords in the configuration. There's a number of issues with that approach, but two major ones are:
By using a secret management service, you avoid these both issues. In case you may consider that approach, I could suggest these tow articles that I written to cover use of secrets managers with ASP.NET Core specifically:
Hope it helps!
Cheers
PS I summarised these above points and a bit more in this SO answer: How can I secure passwords stored inside web.config?
All-Star
58174 Points
15647 Posts
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Jan 09, 2021 01:21 AM|bruce (sqlwork.com)|LINK
you can if hosting with IIS. use environment variables in the asp.net core app, and set them in the hosting web.config
<aspNetCore processPath="dotnet" arguments=".\AppName.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout"> <environmentVariables> <environmentVariable name="MyVariable" value="MyValue" /> </environmentVariables> </aspNetCore>then you use IIS encryption on the <enviromentVariables> section
None
0 Points
1 Post
Re: Encrypt sections of the appsettings.json inside my Asp.Net Core MVC web apllication
Feb 04, 2021 10:33 AM|.NetCoreCoder|LINK
There is a library for exactly that purpose that works pretty well:
https://github.com/devattic/ConfigCrypter