Secret ingredients to quality software


Do you store your secrets securely?

Created on 28 Apr 2016 | Last updated by Tiago Araújo [SSW] on 01 Apr 2021 04:28 PM (21 days ago)

Most systems will have variables that need to be stored securely; OpenId shared secret keys, connection strings, and API tokens to name a few.

These secrets must not be stored in source control in plain text – it is insecure by nature, and basically means that it is sitting.

There are many options for managing secrets in a secure way:

Bad Practices

Store production passwords in source control protected with the ASP.NET IIS Registration Tool


  • Minimal change to existing process – no need for DPAPI or a dedicated Release Management (RM) tool
  • Simple and easy to understand


  • Need to manually give the app pool identity ability to read the default RSA key container
  • Difficult to manage production and non-production config settings
  • Developers can easily decrypt and access the production password
  • Manual transmission of the password from the key store to the encrypted config file

Figure: Bad practice - Overall rating: 2/10

Use Windows Identity instead of username/ password


  • Minimal change to existing process – no need for DPAPI or a dedicated RM tool
  • Simple and easy to understand


  • Difficult to manage production and non-production config settings
  • Not generally applicable to all secured resources
  • Can hit firewall snags with Kerberos and AD ports
  • Vulnerable to DOS attacks related to password lockout policies
  • Has key-person reliance on network admin

Figure: Bad practice - Overall rating: 4/10

Use External Configuration Files


  • Simple to understand and implement


  • Makes setting up projects the first time very hard
  • Easy to accidentally check the external config file into source control
  • Still need DPAPI to protect the external config file
  • No clear way to manage the DevOps process for external config files

Figure: Bad practice - Overall rating: 1/10

Good Practices

Use Octopus/ VSTS RM secret management, with passwords sourced from KeePass


  • Scalable and secure
  • General industry best practice - great for organizations of most sizes below large corporate


  • Password reset process is still manual
  • DPAPI still needed

Figure: Good practice - Overall rating: 8/10

Use Enterprise Secret Management Tool – LastPass/ Hashicorp Vault/ etc..


  • Enterprise grade – supports cryptographically strong passwords, auditing of secret access and dynamic secrets
  • Supports hierarchy of secrets
  • API interface for interfacing with other tools
  • Password transmission can be done without a human in the chain


  • More complex to install and administer
  • DPAPI still needed for config files at rest

Figure: Good practice -  Overall rating: 8/10

Use Azure KeyVault

See the SSW Rewards mobile app repository for how SSW is using this in a production application:


  • Best solution for cloud (Azure) solutions
  • Enterprise grade
  • Uses industry standard best encryption
  • Dynamically cycles secrets
  • Access granted based on Azure AD permissions - no need to 'securely' share passwords with colleagues
  • Can be used to inject secrets in your CI/CD pipelines for non-cloud solutions


Figure: Good Practice - Overall rating 9/10

Adam CoganAdam Cogan
Mehmet OzdemirMehmet Ozdemir
Brendan RichardsBrendan Richards
Andrew LeanAndrew Lean

We open source. This page is on GitHub