Protecting User Secrets in Core Using Secret Manager.

In ASP.NET Core, Microsoft recently introduced ‘user secrets’, which is an API that aims to keep sensitive data out of the project folder. This means that if any code in the project is checked into some code repository, there will be no sensitive data included with it because those secrets are kept outside the project and stored in a user’s profile subfolder. User secrets are only intended for development work and are not a trusted store because their content is unencrypted.

There are so many sensitive information needs to store in application configurations in appsettings during development  like database connectionstrings,S3 configurations,API keys  and passwords and some time developers checked in all these sensitive information in working repositories which is wrong. All these information should not be part of appsettings and should not be exposed in public and must be managed outside the project source control.

For local development, User Secrets is the preferred way to store sensitive values. This tool manages storing configuration values outside the working directory of your project (in your user profile directory). This works well for local development, though it’s important to be aware that User Secrets doesn’t encrypt the secrets, it just moves them to a location you’re less likely to accidentally expose.

.NET Core has introduced User Secrets manager tool which we can use to store application variables outside the application folder.

Locations of user secrets:




How to set up user secrets with secret manager in core project:

Create dotnet core project,here i am creating api solution.


In Visual Studio, right-click the project in Solution Explorer, and select Manage User Secrets from the context menu.


The Secret Manager tool operates on project-specific configuration settings stored in your user profile. To use user secrets, define a UserSecretsId element within a PropertyGroup of the .csproj file.

Once you click on manager user secrets option then system will create a secret json file and add new configuration entry in .csproj file with node and a unique guid is mapped with this node.


secrets.json file is contain all sensitive information in key/value pair which is required for solution and make sure that all such information should not exists in appsettings.json file in solution.


you can also verify that system generate a folder with guid as same guid mapped in <UserSecretsId> node in .csproj file.


Add/Update Secrets:

secrets can be added and updated using the “dotnet user-secrets” commands.


  • Update Secret Command:

  Syntax:   dotnet user-secrets set “Key” “Value”

example: As we have already configured some keys in user secrets and now we have to update user secrets with new value,In our secret file there is a key with name “ApiKey” with value “Swindon@123”.let’s list all secrets to verify this.


Now we have to update “ApiKey” value with “Test@123” then below command needs to be execute and then we can see updated value.

“dotnet user-secrets set “ApiKey” “Test@123”8

How to consume secrets in dotnet core solution:

In order to load our User Secrets, we need to make a few changes to the Startup.cs file. We need to:

  • Add User Secrets to the application builder
  • Read the value from our User Secrets file

Add User Secrets to the application builder in startup.cs file.

public Startup(IConfiguration configuration, IHostingEnvironment env)
            Configuration = configuration;
            var builder = new ConfigurationBuilder()
                     optional: false,
                     reloadOnChange: true)

            if (env.IsDevelopment())
            Configuration = builder.Build();

Here we’ve added a string to hold our user secret and we’ve instructed the application builder to add the user secrets configuration to our application.

// This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
            var apiKey = Configuration["ApiKey"];



The Secret Manager tool does not encrypt the stored secrets and should not be treated as a trusted store. It is for development purposes only. The keys and values are stored in a JSON configuration file in the user profile directory.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s