7 Storing secrets
This chapter covers
- Different kinds of encryption
- Securely storing configuration settings in ASP.NET Core
- Using the Secret Manager to store data in the local machine’s profile folder
- Using secure storage options on Azure, AWS, and the Google Cloud
- Protecting application sessions using ASP.NET Core Data Protection.
- Protecting data stored locally by a Blazor app
In 2020, it was discovered that a software by IT company SolarWinds contained a backdoor that was abused by attackers. Part of the attack was to download a malicious software update. The password for the FTP server containing those updates was “solarwinds123” (at least at some point in 2019). Famously, the CEO blamed it on “an intern”.
A security researcher found this password within a public GitHub repository of the company (see https://www.theregister.com/2020/12/16/solarwinds_github_password/ for background information on the attack, and the aftermath). We will discuss secure passwords in the next chapter, but this chapter will focus on better ways to store secrets such as passwords within an application.
There does not seem to be an obvious, simple solution for this task, as numerous examples prove: