1

I have a Azure KeyVault providing a password which I'd like to read into a SecureString.

If I try to read the string as a SecureString from the IConfiguration object, it will return a null:

config.GetValue<SecureString>("AdminPW") == null

I can read the string in as a string and convert to SecureString, but this seems like a dirty hack:

 var pass = new SecureString();
 foreach (var c in config.GetValue<string>("AdminPW").ToCharArray())
 {
    pass.AppendChar(c);
 }

Is there a way to get a SecureString directly from the IConfiguration?

user1259332
  • 426
  • 1
  • 4
  • 15
  • 1
    It is pointless, the string you got out of config.GetValue() already leaks the secret. SecureString got pointless a long time ago. Focus on physical security, a door with a lock and a solid recycling procedure to discard old hardware. – Hans Passant Nov 06 '19 at 10:04
  • Have a look at this question: https://stackoverflow.com/questions/818704/how-to-convert-securestring-to-system-string You need to use the InteropServices.Marshal class – jazza1000 Nov 06 '19 at 10:14

2 Answers2

2

For anyone else checking this, it is not possible to directly get a SecureString out of an Azure KeyVault.

user1259332
  • 426
  • 1
  • 4
  • 15
0

As Hans said, it is not security.

If the assemblies you are using don't have native support for SecureString serialization, that's exactly where you Key Vault as a service for secrets need to pass them only an encrypted payload which when you do decrypt is kept immediately in a SecureString (CryptoStream byte by byte to SecureString followed by dispose to purge the buffers from memory).

So not suggest you get a SecureString out of an Azure KeyVault.

You could refer to this issue Azure KeyVault client should support SecureStrings.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • I'm aware that's it's not secure, I'm just using it for a PSCredential object for authentication purposes. I'd just want to get it out of the KeyVault as a secure string to avoid the intermediate steps really. – user1259332 Nov 07 '19 at 10:24
  • You can't get keyvault as secure string. – Joey Cai Nov 08 '19 at 07:01