Do you store your secrets securely?
  v4.0 Posted at 6/06/2017 3:40 AM by Tiago Araujo

Most systems will have variables that need to be stored securely; OpenId shared secret keys, connection strings, and API tokens to name a few.

These secrets must not be stored in source control in plain text – it is insecure by nature, and basically means that it is sitting.

There are many options for managing secrets in a secure way:

Bad Practices

Store production passwords in source control protected with the ASP.NET IIS Registration Tool


  • Minimal change to existing process – no need for DPAPI or a dedicated Release Management (RM) tool.
  • Simple and easy to understand


  • Need to manually give the app pool identity ability to read the default RSA key container.
  • Difficult to manage production and non-production config settings
  • Developers can easily decrypt and access the production password.
  • Manual transmission of the password from the key store to the encrypted config file.
Figure: Bad practice - Overall rating: 2/10

Use Windows Identity instead of username/ password.


  • Minimal change to existing process – no need for DPAPI or a dedicated RM tool.
  • Simple and easy to understand


  • Difficult to manage production and non-production config settings
  • Not generally applicable to all secured resources. 
  • Can hit firewall snags with Kerberos and AD ports
  • Vulnerable to DOS attacks related to password lockout policies
  • Has key-person reliance on network admin
Figure: Bad practice - Overall rating: 4/10

Use External Configuration Files


  • Simple to understand and implement


  • Makes setting up projects the first time very hard.
  • Easy to accidentally check the external config file into source control.
  • Still need DPAPI to protect the external config file.
  • No clear way to manage the DevOps process for external config files.
Figure: Bad practice -  Overall rating: 1/10

Good Practices

Use Octopus/ VSTS RM secret management, with passwords sourced from KeePass


  • Scalable and secure.
  • General industry best practice - great for organizations of most sizes below large corporate.


  • Password reset process is still manual
  • DPAPI still needed.
Figure: Good practice - Overall rating: 8/10

Use Enterprise Secret Management Tool – LastPass/ Hashicorp Vault/ etc..


  • Enterprise grade – supports cryptographically strong passwords, auditing of secret access and dynamic secrets
  • Supports hierarchy of secrets
  • API interface for interfacing with other tools.
  • Password transmission can be done without a human in the chain.


  • More complex to install and administer
  • DPAPI still needed for config files at rest
Figure: Good practice -  Overall rating: 8/10

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address: