شيطان
❔ Storing connection strings securely in my c# .net app
Hello,
I'm wondering about the most secure way to store connection strings in my application. Currently, I'm considering using Azure Key Vault for storage. As far as I understand, the SDK uses TLS for end-to-end encryption, and by not hard-coding the connection strings into the app, I am enhancing security. My plan is to grant access to an Azure App Registration Principal via Vault Policies and then authenticate the Azure App to my C# app using Certificate Authentication. I have implemented some code that successfully retrieves the secrets from the key vault, but I'm not entirely confident in my knowledge of this topic. Specifically, I am uncertain whether passing the retrieved key directly into my SQL query in C# is now considered "secure", I assume so as the end to end communication is encrypted while being delivered, and I'm not storing this value in memory. I'm passing it straight into my sql query using the "using" statement. Previously, I stored the keys in memory, which could be vulnerable to memory attacks, but I am assuming now me doing it this way it is secure? The SQL Strings are using the "Using" statement, so they should be disposed off when finished. I think perhaps I have maybe achieved this?
The reason for cert auth is, the exe is run from a network share by multiple users and I need seamless authentication without bothering the users.
Furthermore, there is still a "clientid" and "tenantid" and cert "thumbprint" I need to store in the code, but what I have done is stored these on the project properties user level as a string, but these are encrypted. The app when launched for the first time will create a self signed certificate and use this to encrypt these values which is done per user, so each user uses their own self signed cert, and decrypt this, stored at user level, so at least nobody can just open the file and read it in plain text.
7 replies