3

I'm curious if there are any recommendations for storing some sensitive information in source code. To make myself clear from the beginning, i'm not talking about user passwords, credit card numbers, and so on; i'm talking about API access keys, client secrets and other such data that are not directly related to the users of the application but rather to the application authenticating itself to various components or third-party services (think also of the database connection string in web.config files).

What i'm looking for is a way to hide, if possible, plaintext occurrences of this sensitive information (which are most often character strings) preferably both in the source files (avoid somehow hardcoding them) and in the output binaries. For binaries i know there's the "solution" of obfuscation; for sources however, i can't think of a straightforward one. Ideally, the solution should be as source-control-friendly as possible, allowing authorized developers to simply checkout the code and build it without additional steps.

If you have any suggestions regarding this, i'd be more than willing to hear them.

Gabriel S.
  • 1,347
  • 11
  • 31
  • there is one, IMO: don't do it :) I am not sure I fully understood, but if your sensitive information ends up in the binaries and binaries are deployed to client machines, then it can be extracted. – Zdeslav Vojkovic Mar 20 '13 at 10:01
  • @ZdeslavVojkovic perhaps i should have mentioned, the particular scenario in my case only applies to server-side code, so it's a relatively (but not completely) secure environment. – Gabriel S. Mar 20 '13 at 10:13
  • ok, then it makes sense. however, I don't see why would you want to store it in the source code then? – Zdeslav Vojkovic Mar 20 '13 at 10:14
  • well if i can safely and easily store them somewhere else, i'll do it, this is actually part of my question, how can i avoid hardcoding them – Gabriel S. Mar 20 '13 at 10:20
  • 1
    I usually put this stuff into config files, sometimes into database. – Zdeslav Vojkovic Mar 20 '13 at 10:25

2 Answers2

1

You can Encrypt your keys & store in xml.

Application can decrypt it & use it.

Refer:

Encrypt/Decrypt string in .NET

Also, you can use Encoding which is at least better than having plain text.

Refer:

Encode and Decode

Community
  • 1
  • 1
Kapil Khandelwal
  • 15,958
  • 2
  • 45
  • 52
0

The solution I eventually chose was to move all the sensitive strings inside a web.config file (or app.config), then encrypt the sensitive sections of it. I then let the operating system and the ASP.NET runtime to handle encryption/decryption. Not perfect (after all you do need to have the original app/web.config file holding the plaintext data - but at least it doesn't have to be on the production machine), but quite convenient.

Gabriel S.
  • 1,347
  • 11
  • 31