dotnet code management strategies of key separation


Internet every once in a while a program ape burst [in code hosting platform configuration upload confidential company information, resulting in the company’s core data is acquired or modified by hackers], crop of another crop scapegoat Xia endless. Self-Rescue

Software engineering theory given early classical principles in bold: Never store production passwords or other sensitive data in source code

According to this principle, some of us sensitive information .Net development career in several separate programs.


Conventional thinking is the way [external file hosting sensitive information], .gitingore ignores the file, when you deploy a pre-copy the file to the deployment directory.

.Net Framework

May tryappSettingsConfiguration section to enable file attribute, file attributes can reference an external configuration file, with the original appSetttings new set of the same name, or the ability to rewrite the theory Portal

    "FtpUserId" value="test_userid" />
    "FtpPwd" value="test-pwd">

"1.0" encoding="utf-8" ?>

    "FtpUrl" value="" />
    "FtpUserId" value="RateGain_M&C" />
    "FtpPwd" value="[email protected]" />
    "RemotePath" value="/M&C/" />       


Similarly Similarly, to specify the loadappsetting.secrets.jsonfile
var hostBuilder = WebHost.CreateDefaultBuilder(args)
    .ConfigureAppConfiguration((context, builder) =>
       builder.AddJsonFile($"appsettings.secrets.json", optional: true);
      if (context.HostingEnvironment.IsDevelopment())

According to this thinking, sensitive information may be referred to other hosting components, .NetCore developers as well as the other three practices:

– for Dev’s Secrets manager tool Managed

ASP.NETCore save the key in the development environment under way, the general idea is to use an anonymous GUID reference of the same name in the System folder under the storage configuration Json.

– for Azure Azure Key Vault cloud hosting

– For General Deploy hosting environment variables

The following separation of sensitive information on the environment variables the way for further instructions.

Managed Environment Variables

Environmental variables can be introduced / injected into the created process, it can be isolated as a sensitive information, ideas, environment variables from three levels: the system, the user process.

Describes several ways to modify environment variables:

①Windows-CMD command line: setx command, pay attention to the way the environment variable settings required on the new CMD interface to verify the effect.

② system control panel – My Computer – Properties – Advanced Settings – Environment Variables

These two forms are introduced into the system environment variables when ASP.NET Core process starts,

③ inject environment variables when Visual Studio launchsettings.json setting process starts

  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:11761/",
      "sslPort": 0
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
    "JumpServer": {
      "commandName": "Project",
      "launchBrowser": true,
      "applicationUrl": "http://localhost:5020",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "production" ,
        "ASPNETCORE_URLS": "http://localhost:5020"


④ inject environment variables when setting process starts VScode launchsettings.json

    "version": "0.2.0",
    "configurations": [
            "name": ".NET Core Launch (web)",
            "type": "coreclr",
            "request": "launch",
            "preLaunchTask": "build",
            "program": "${workspaceRoot}/bin/Debug/netcoreapp1.0/TestApp.dll",
            "args": [],
            "cwd": "${workspaceRoot}",
            "stopAtEntry": false,
            "launchBrowser": {
                "enabled": true,
                "args": "${auto-detect-url}",
                "windows": {
                    "command": "cmd.exe",
                    "args": "/C start ${auto-detect-url}"
                "osx": {
                    "command": "open"
                "linux": {
                    "command": "xdg-open"
            "env": {
                "ASPNETCORE_ENVIRONMENT": "Development"
            "sourceFileMap": {
                "/Views": "${workspaceRoot}/Views"


⑤ when the process started by the command-line parameter injection, strictly speaking this way does not belong environment variable way, is a parameter configuration.

 public static IWebHost BuildWebHost(string[] args)
            var webHostBuilder = WebHost.CreateDefaultBuilder(args)
               .ConfigureAppConfiguration((hostingContext, configBuilder) =>

{ // Enable command line parameter configuration

if (hostingContext.HostingEnvironment.IsDevelopment()) configBuilder.AddUserSecrets(true); }) .ConfigureLogging((hostingContext, logging) => { logging.AddAzureWebAppDiagnostics(); }) .UseStartup(); return webHostBuilder.Build(); }
dotnet run --environment "development"


⑥ If you use IIS hosted AspNetCore, you can add / rewrite environment variables in the IIS configuration editor


In practice .NetCore production deployment, the more common way is to use a separate appsettings.secrets.json or environment variables to sensitive information separation.

Master these, .Net program ape will not be uploaded because confidential information and git back in the pot.

~~~~~~~~~ more ways, welcome to add comments. ~ ~ ~ ~

Leave a Reply