In my production env right now I have my key hard coded:
new SigningCredentials(new SymmetricSecurityKey("my jey bla bla"), SecurityAlgorithms.HmacSha256Signature);
Moving the key to a config file is a bad idea, placing it here is even worst.
What is the best way to store and use the SymmetricSecurityKey?
Thanks
On
For secrets in your development environment you can store those in either environment variables or use the secrets storage in visual studio. You can read about it here. For test, integration or development you can use the secrets logic that is available in your CI. (assuming your CI supports this.) (For instance in GitLab you can read about it here.)
Environment variables
Environment variables are used to avoid storage of app secrets in code or in local configuration files. Environment variables override configuration values for all previously specified configuration sources.
Consider an ASP.NET Core web app in which Individual User Accounts security is enabled. A default database connection string is included in the project's appsettings.json file with the key DefaultConnection. The default connection string is for LocalDB, which runs in user mode and doesn't require a password. During app deployment, the DefaultConnection key value can be overridden with an environment variable's value. The environment variable may store the complete connection string with sensitive credentials.
Warning
Environment variables are generally stored in plain, unencrypted text. If the machine or process is compromised, environment variables can be accessed by untrusted parties. Additional measures to prevent disclosure of user secrets may be required.
Secret manager tool
The Secret Manager tool stores sensitive data during the development of an ASP.NET Core project. In this context, a piece of sensitive data is an app secret. App secrets are stored in a separate location from the project tree. The app secrets are associated with a specific project or shared across several projects. The app secrets aren't checked into source control.
Warning
The Secret Manager tool doesn't encrypt the stored secrets and shouldn't be treated as a trusted store. It's for development purposes only. The keys and values are stored in a JSON configuration file in the user profile directory.
On
Both answers previously given I think are wrong. Both 1) environment variables and 2) secret manager tool only work in DEVELOPMENT. Please read this:
The "only" secure option microsoft gives us is the Azure Key Vault. I'm afraid I always set this things on the appsettings.json because it seems to be the only affordable way. If someone knows a better way, please share with us all...Blessings
The best practice is to store your secrets in environment variables.
Windows:
Linux:
Then, to access it in your code you can use the System.Environment class. Specifically, the Environment.GetEnvironmentVariable method: