Isaac.

Secure Secret Management

Learn how to securely manage secrets and credentials across different environments and platforms.

By EMEPublished: February 20, 2025
securitysecretskey vaultcredential managementencryption

A Simple Analogy

Imagine managing house keys for a large building. You don't want master keys lying around where anyone can find them. Instead, you use a secure lockbox with access controls—only authorized people can access specific keys, and there's a log of who took what and when.

What Is Secret Management?

Secret management is the practice of securely storing, accessing, and rotating sensitive credentials like passwords, API keys, encryption keys, and tokens. It ensures only authorized applications and people can access secrets, and tracks all access.

Why Secret Management Matters

  • Prevent breaches: Secrets aren't exposed in code or logs
  • Centralized control: One place to manage all credentials
  • Access tracking: Audit who accessed which secret and when
  • Easy rotation: Change secrets without code changes
  • Environment separation: Different secrets for dev, staging, production
  • Compliance: Meet security standards (SOC 2, ISO 27001, HIPAA)

Azure Key Vault (Microsoft)

Setup

var keyVaultUrl = new Uri("https://mykeyvault.vault.azure.net/");
builder.Configuration.AddAzureKeyVault(
    keyVaultUrl,
    new DefaultAzureCredential());

Store and Retrieve Secrets

using Azure.Security.KeyVault.Secrets;
using Azure.Identity;

var client = new SecretClient(
    vaultUri: new Uri("https://mykeyvault.vault.azure.net/"),
    credential: new DefaultAzureCredential());

// Retrieve
var secret = await client.GetSecretAsync("DatabasePassword");
var password = secret.Value.Value;

// Store (programmatically)
await client.SetSecretAsync("ApiKey", "new-api-key-value");

AWS Secrets Manager (Amazon)

Retrieve Secrets

using Amazon.SecretsManager;
using Amazon.SecretsManager.Model;

var client = new AmazonSecretsManagerClient();

var request = new GetSecretValueRequest { SecretId = "prod/api-key" };
var response = await client.GetSecretValueAsync(request);
var secret = response.SecretString;

Automatic Rotation

// AWS rotates secrets automatically
// Lambda function runs on schedule to update secret
public async Task RotateSecret(ILambdaContext context)
{
    var client = new AmazonSecretsManagerClient();
    
    // Generate new password
    var newPassword = GenerateSecurePassword(32);
    
    // Update in database
    await UpdateDatabasePassword(newPassword);
    
    // Update in Secrets Manager
    await client.PutSecretValueAsync(new PutSecretValueRequest
    {
        SecretId = "prod/database-password",
        SecretString = newPassword
    });
}

HashiCorp Vault

Access Secrets

using VaultSharp;
using VaultSharp.V1.AuthMethods.Token;

var authMethod = new TokenAuthMethodInfo(vaultToken: "s.xxxxxxxxxxxxxx");
var vaultClientSettings = new VaultClientSettings("http://127.0.0.1:8200", authMethod);
IVaultClient vaultClient = new VaultClient(vaultClientSettings);

var secret = await vaultClient.V1.Secrets.KeyValue.V2
    .ReadSecretAsync(path: "secret/data/database");

var password = secret.Data.Data["password"].ToString();

Local Development: User Secrets

For ASP.NET Core development, use User Secrets (not committed to git):

# Initialize
dotnet user-secrets init

# Add secret
dotnet user-secrets set "DatabasePassword" "dev_password"

# List
dotnet user-secrets list

# Remove
dotnet user-secrets remove "DatabasePassword"

File location:

  • Windows: %APPDATA%\Microsoft\UserSecrets\<UserSecretsId>\secrets.json
  • Linux/Mac: ~/.microsoft/usersecrets/<UserSecretsId>/secrets.json

Best Practices

  • Use different secrets for each environment
  • Rotate secrets quarterly or after employee departure
  • Never log or print secrets
  • Restrict access with least privilege principle
  • Enable audit logging for all secret access
  • Use encryption for secrets at rest
  • Implement multi-factor authentication for vault access
  • Version and track secret changes

Real-World Scenario

Development:
  Use User Secrets or local .env

Staging:
  Use Azure Key Vault or AWS Secrets Manager
  
Production:
  Highly restricted access
  Automatic rotation enabled
  Audit logging for compliance
  HSM (Hardware Security Module) for encryption keys

Related Concepts to Explore

  • Encryption at rest and in transit
  • Key rotation policies
  • Hardware Security Modules (HSM)
  • OAuth and OpenID Connect
  • Multi-factor authentication
  • Identity and Access Management (IAM)
  • Audit logging and compliance
  • Zero-trust security model

Summary

Secret management is foundational to application security. Use User Secrets locally, graduate to Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault in production, and never hardcode credentials. With centralized, audited secret management, you protect both your application and your users' data.