Nice to meet you!

We're delighted to have you here. Need assistance with our services or products? Feel free to reach out.

Hero Illustration
Secrets Management in .NET 
0 Comments
Mitrais, Software Development

Secrets Management in .NET 

What is Secrets Management?

Before we talk about secrets management, let’s define secrets in the IT context. In short, secrets are any sensitive data that should not be known by an unauthorized person. Secrets can include (but are not limited to): 

  • Passwords 
  • Database credentials 
  • Application Programming Interface (API) keys 
  • Secure Shell (SSH) keys  

Secrets management is a set of tools and procedures to manage sensitive data or secrets. It is in line with what BeyondTrust and Auth0 said about secrets management. If you wish to learn more about the implementation of secrets management, we recommend reading the cheat sheet from OWASP. 

Why Use Secrets Management in .NET?

Secrets management is a vital feature of modern software development. Let’s look at OWASP Top 10:2021. In 2nd position is A02:2021 – Cryptographic Failures, previously known as Sensitive Data Exposure. Notable Common Weakness Enumerations (CWEs) included are CWE-259: Use of Hard-coded Password, CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy. So, it is important to manage our secrets and ensure that only authorized personnel can use the credentials. 

As an example of hard-coded password weakness, imagine that your database credentials can be seen by outsiders. The outsider can publish your data, make any changes, and erase your data. This situation is called hard-coded passwords or hard-coded credentials.  

Secrets Management Tools in .NET

We have many tools to help us with secrets management, especially for .NET Applications. We will cover the following tools:

  • Built-in Secret Manager Tool
  • Azure Key Vault
  • HashiCorp Vault
  • AWS (Amazon Web Services) Secrets Manager
  • Google Cloud Secret Manager

Built-in Secret Manager Tool

The Built-in Secret Manager tool stores the secrets as a JSON (JavaScript Object Notation) file in the local machine. However, please take note that the Built-in Secret Manager tool will not encrypt the stored secrets. Therefore, it is not the best practice to use in production. As mentioned, in the Microsoft documentation, this Secret Manager tool should be used for development purposes only. For complete guidelines on how to use it, please read this documentation.

Advantages of the Built-in Secret Manager Tool

  • Simple and easy to integrate with Configuration API.
  • Free to use.
  • Can be integrated with Visual Studio.

Disadvantages of the Built-in Secret Manager Tool

  • Should not be used for production and only for the development environment.
  • The secrets are not encrypted.

You may be wondering what tools we should use for the production environment. Microsoft recommends their product known as Azure Key Vault. In the following sections, we will compare the other available tools such as HashiCorp Vault, AWS Secrets Manager, and Google Cloud Secret Manager.

Azure Key Vault

In line with the Azure Key Vault documentation, Azure Key Vault is a key management solution in Azure. Azure Key Vault provides secrets management, key management, and certificate management. If you are curious about how to set up Azure Key Vault, we recommend reading this documentation. There are various methods to authenticate the application for using the Azure Key Vault, for example:

  1. Using Application ID and X.509 certificate. We can use this method for non-Azure-hosted apps. If you do not have any plan to move your application to Azure, this is the recommended method to access your Azure Key Vault.
  2. Using managed identities. This is the recommended method if you have applications that run in Azure. For example, if you have a Web API in Azure App Service, you could use Azure Key Vault using managed identities.

You can use the library with the name “Azure.Extensions.AspNetCore.Configuration.Secrets” to help integrate Azure Key Vault with Configuration API. We would recommend using Azure Key Vault if you are using Azure as your deployment target.

If you are curious about the pricing of the secrets manager, it will depend on your use cases. For example, we will utilize a use case to compare all secret managers mentioned in this post. The use case is as follows:

  • The region is the westernmost U.S. states.
  • 10,000 operations or transactions per month.
  • 100 secrets (only storing the database credentials, API keys, etc. without HSM-protected keys) stored for a month.

Based on the use case, Azure Key Vault will cost $0.03/month. Azure Key Vault will not add additional cost for the secret’s storage, except for the HSM-protected keys.

Advantages of using Azure Key Vault

  • Flexibility to choose authentication method for accessing Azure Key Vault.
  • Integrated monitoring tools for tracking access of keys and secrets.
  • Easy to integrate with various Azure services such as Azure Virtual Machine, Azure App Service, and Azure Kubernetes Service.
  • Can be integrated with many popular programming languages such as .NET, Python, Java, and JavaScript.
  • Supports secret rotations.
  • Supports multi-tenant solutions.

Disadvantages of Azure Key Fault

  • Need to connect with cloud services for local development. This can be an advantage or a disadvantage, but we consider this as a disadvantage, especially for developers.
  • Limited transactions or “throttling” might impact your production operation. For information on how to handle throttling when these limits are exceeded, see Azure Key Vault throttling guidance.

HashiCorp Vault

Another tool for secrets management is HashiCorp Vault. HashiCorp Vault provides integration with multiple cloud services, such as Amazon Web Services, Google Cloud, and Microsoft Azure. In addition, HashiCorp Vault can also be integrated with Kubernetes seamlessly.

There are some libraries to integrate .NET applications with HashiCorp Vault. This includes VaultSharp, Vault.NET, and HashiCorp.Vault. Both VaultSharp and Vault.NET are community-driven libraries, meanwhile, HashiCorp.Vault is officially supported by HashiCorp. However, this library is still in beta version when this blog post was created.

Keep in mind to avoid using the development server of Vault for your production environment. You can read this documentation to deploy Vault on your server. However, you can use the managed service named HashiCorp Cloud Platform (HCP) Vault as an alternative.

The HashiCorp Vault pricing will vary according to your usage. For example, if you decide to manage the HashiCorp Vault server on your own, you only need to pay the server operations cost. In contrast, if you want to use the managed service, HCP Vault, you need to pay the hourly rate. So, if you use it for 30 days, it will cost you approximately $1,137.6. It is a significant cost compared to the other secret managers.

Advantages of Using HashiCorp Vault

  • Support for both local development and production.
  • Open-source and well-tested.
  • It can be installed on a wide range of systems and cloud services, like AWS, Azure, and Google Cloud.
  • Able to be deployed and used in the on-premise system.
  • Flexibility to choose authentication method. The authentication methods are AliCloud, AppRole, AWS IAM, AWS EC2, Azure, Cloud Foundry, GitHub, Google Cloud, JWT/OIDC, Kerberos, Kubernetes, LDAP, OCI, Okta, RADIUS, TLS Certificate, Token, and Username
  • Ability to validate third-party clients.
  • Have basic secrets management features like secrets rotation and more.

Disadvantages of Using HashiCorp Vault

  • Need some adjustments if you need to integrate with Configuration API.
  • It can be complex, especially when you want to integrate the vault with another cloud.

AWS Secrets Manager

If you are going to use AWS as your main cloud service, we recommend considering AWS Secrets Manager. If you want to learn more about AWS Secrets Manager concepts, please click here. You can use AWS SDK to integrate .NET Applications with AWS Secrets Manager. However, similar to HashiCorp Vault, you need to write your implementation if you want to integrate with Configuration API.

The recommended way to authenticate for accessing the AWS Secrets Manager is using IAM Identity. However, you may use the access key when developing the application.

The cost of AWS Secrets Manager is slightly higher than Azure Key Vault. AWS Secrets Manager will add additional cost for the secrets’ storage. According to our use case, AWS Secrets Manager costs $40.05/month.

Advantages of Using AWS Secrets Manager

  • Integrated with Monitoring and Auditing tools which helps us to identify suspicious activity attempting to access our secrets.
  • AWS SDK provides the Secrets Manager Client with the ability to cache the secret.
  • Supports secrets rotation and handles the database secret rotation when you host the database in AWS, for example when using RDS (Relational Database Service).

Disadvantages of Using AWS Secrets Manager

  • Must write our own implementation to integrate with Configuration API.
  • Limited access to the secret and some quotas need to be considered.
  • The cost can be expensive if you frequently access the secrets since you will be billed per request.
  • Need to connect with the cloud resources.
  • You can only utilize AWS Identity and Access Management (IAM) for authentication.

Google Cloud Secret Manager

The last tool we will discuss for secrets management is the Google Cloud Secret Manager. It focuses on Google Cloud service, and if you want to learn more about the Google Cloud Secret Manager concept, click here.

The authentication method of the Google Cloud Secret Manager is similar to the AWS Secrets Manager, either by using secrets or IAM Identity. However, the authentication method is not flexible, like HashiCorp Vault.

Google Cloud Secret Manager has similar pricing aspects to AWS Secrets Manager. You will need to pay based on the total number of secrets stored. The cost is $6.03, which is cheaper than AWS Secrets Manager.

Advantages of Google Cloud Secret Manager

  • Wide support for Client Libraries, for example, C++, C#, Go, Java, Node.js, PHP, Python, and Ruby. Even, if your programming language is not supported, you may integrate using REST API or RPC.
  • Basic secrets management like secrets rotation and support for secret versioning.
  • Integrated with monitoring and auditing tools.

Disadvantages of Google Cloud Secret Manager

  • Need to connect with the cloud resources.
  • Limited access and quotas.
  • You are required to use Identity and Access Management (IAM) from Google Cloud, which means limited options to access the secrets manager.
  • Must write your own implementation to integrate with Configuration API.

Conclusion

In conclusion, secrets management is a set of tools and methods for managing secrets. We have seen the importance of secrets management, and without it, our business has considerable risks. There are many cases of cyber-attacks through exposed credentials, making it essential to secure our credentials or secrets.

We have also learned about the three options for managing secrets in .NET Applications. However, we should consider using Azure Key Vault, HashiCorp Vault, AWS Secrets Manager, and Google Cloud Secret Manager for the Production environment. We can also use the Built-in Secret Management Tool as an alternative for our development environment.

Please use this table as a guide when choosing which Secrets Management Tool for your needs.

Secrets Management ToolSupport for Development Server/EnvironmentSupport for ProductionAbility to Integrate with Configuration APIRecommended Application EnvironmentAuthentication MethodsAbility to Deploy the Service at on-Premises SystemEstimated Pricing Based on the Use Case (per month)
Built-InYesNoYesLocal0NoFree
Azure Key VaultNo (You should connect to provisioned Vault in Azure)YesYesMicrosoft Azure2No$0.03
HashiCorp VaultYesYesNo (It might use another library or your own implementation)Microsoft Azure, AWS, Google Cloud, and other deployment targets18Yes$1137.6
AWS Secrets ManagerNoYesNo (It might use another library or your own implementation)AWS2No$40.05
Google Cloud Secret ManagerNoYesNo (It might use another library or your own implementation)Google Cloud2No$6.03

Based on the table above, we recommend using the Built-in Secret Management tools for the development environment.

For production environments and .NET applications, HashiCorp Vault is preferable due to its flexibility in any deployment target architecture and authentication methods, allowing for future flexibility and maintainability. However, the cost is significantly higher than the others. If you have on-premise applications, you can deploy and manage the HashiCorp Vault to reduce the cost.

If you have a specific use case and you already know which cloud services will host the application, we would like to recommend their own managed secrets manager. It will ensure you integrate easily and reduce costs.

Author: Bervianto Leo Pratama, Analyst Programmer

Contact us to learn more!

Please complete the brief information below and we will follow up shortly.

    ** All fields are required
    Leave a comment

    Get More

    Related Articles

    Implementing Row-Level Security Across Platforms with Enterprise Architecture
    Implementing Row-Level Security Across Platforms with Enterprise Architecture
    Revolutionizing Logistics with RPA in Supply Chain
    Revolutionizing Logistics with RPA in Supply Chain
    Mitrais Gold: Celebrating Commitment and Excellence 
    Mitrais Gold: Celebrating Commitment and Excellence