How can I store production secrets like connection string in ASP.Net Core 3.1 application, hosted on a shared server

Question

Maybe there is an answer to my question already but I was not able to find it after a long time searching.

My use case is the following: I have one ASP.Net Core 3.1 web application. It uses MSSQL database to store some information (just FYI I don't store any users' secrets, but still the information is valuable for me). It also uses an email client to send emails. I need to store the connection string for the database and also the credentials for the email client. So far I was storing them in the appsettings.json file until I realized that they are stored in plain text and if somebody access them he/she will have access to my database and my email client.

Now I am looking for a way to more securely store them. After reading questions in SO I came to understanding that the suggest way for storing such information is by using the Azure Key Vault. I can use it and I started updating my application to work with it (I read that I can access it outside Azure). But I came to realize that I need to store somewhere the Vault URL, ClientID and ClientSecret values.

How can I store them. In one of the tutorials they had them in the appsettings.json file but they said that this is not a good approach for a production, which is understandable. Suggested option was to store them in environment variables. But here comes my problem - I am hosting on a shared server and I can't add any environment variables. So usage of environment variables is not an option for me.

In my case, when I can't add any environment variables what would be the best approach to store any production secrets like the database connection string? Is the Azure Key Vault still a valid and a good option? Should I consider keeping them in the appsetting.json and encrypting that file? Or maybe there is another better approach?

It is only me who is developing the app plus I don't store it in any public GitHub repo or anything.

PS: Here is a link to a tutorial I was looking at: Using Azure Key Vault From A Non-Azure App

Thanks.

EDIT: Here is one tutorial which I find useful on how to Use Azure Key Vault With Certificate Outside of Azure

Answer 1

Two things:

1-You should store the secrets in Azure Key Vault. As you already noticed, it will provide an URL that will be used to retrieve the secret from Key Vault.

2-Only allowed services will be able to retrieve the secrets. What you need to do is create a manage identity to you web apps, then grant access to GET / LIST secrets from Key Vault to this Managed Identity.

here's a step by step:

https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app

Answer 2

(Summarizing the discussion and resolution as Answer)

Storing secrets in Azure Keyvault is the recommended approach. However to get authorized access to KeyVault, you would need the credentials like ClientId and Secret or Certificate. So the question is where to store those secrets to access the KeyVault for the actual secrets! :). Now if you were in Azure host like for example Azure Web App or VM, I could straightaway recommend Managed Identity where you would not have to maintain the credentials in App, but since you mentioned it's a non-Azure host , I would suggest to go via Certificate authentication since Secret based auth would need you store the secret somewhere in config/environmental variable which is not a good idea. Also make sure that only your app has access to that certificate in the host.

As now you coordinated with your hosting vendor to configure certificate and things are working, I hope it helped. Thanks.