How to Hide Your API in .net Core?

Question

Hello,

When I have read (https://medium.com/better-programming/how-to-hide-your-api-keys-c2b952bc07e6) the article about hiding your api key in relation to github and javascript I got a reflection about it.

How do you hide your api key in .net core v3?

Thank you!

Answer 1

Hello @JJ TT

If say using GitHub and storing api key in a .cs or .vb file, tell git to not include that file into the repository. This can be done by having a file named .gitignore and place the file in. You can specify a full file name or path and file name or use wild cards.

Documenation

https://git-scm.com/docs/gitignore
https://docs.github.com/en/free-pro-team@latest/github/using-git/ignoring-files

Now the above points to GitHub while other source control also allow ignore files from Microsoft DevOps to SVN.

Notes

Nothing is fully secure in that say for instance someone hacks your computer and finds the key? Well that is far fetch but what is not is what happens if someone can get you password and user name, they can get out your SSH and GPG keys. So this means more than one level of security is needed, the above and a developer keeping passwords secure.

Answer 2

As Karen already suggested, you should not be storing your API keys (or any secrets for that matter, anything like DB usernames/passwords etc) in your repository. You might be tempted to encrypt your passwords/keys and still store them in the repo - don't. There's multiple reasons not to do that, but I won't go into it as it's outside of the topic of your question.

Presently, the recommendation would be to use a "secrets manager" service, that's a service that stores API keys etc for you and lets you retrieve them when needed. When you use a secret management service, no secrets or decryption key or algorithm is stored in your source code. Retrieving a secret is as simple as this:

For Azure Key Vault:

var keyVaultUrl = "https://<your-key-vault-name>.vault.azure.net/";
var credential =  new DefaultAzureCredential();    
var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential);    
KeyVaultSecret secret = client.GetSecret("<your-secret-name>");    
Console.WriteLine($"{secret.Name}: {secret.Value}");

For AWS Secrets Manager (skipped some error handling code):

var client = new AmazonSecretsManagerClient(accessKeyId, secretAccessKey, 
                                            RegionEndpoint.APSoutheast2);
var request = new GetSecretValueRequest {
    SecretId = secretName
};
GetSecretValueResponse response = null;
response = client.GetSecretValueAsync(request).Result;

This approach has lots of advantages over the storage of secrets locally:

• you don't have to mess with storing different values in configs for Prod/Staging/Dev environments -- just read appropriately named secrets (such as '[Dev|Prod|Stag]DBPassword`
• only selected few people can have access to the very important secrets (such as, I dunno, say an authorisation code to transfer all $$$ from Deus account to E-Coin wallets around the world #revolution), and their access can be revoked at any time
• if anyone steals your source code (disgruntled employee, accidental leak) none of your passwords have been leaked
• changing a password is easy -- you just update it using the could management console and restart the app(s)

I have written a couple of articles, showing how to set up and read secrets with AWS and Azure, feel free to check it out if you need step-by-step directions and complete source code:

• How to use AWS Secrets Manager to store & read passwords in .Net Core apps
• How to securely store and retrieve sensitive info in .NET Core apps with Azure Key Vault