I have a winforms app that is storing the Database Connection string in the application's config file. Obviously, this is not a great way to do this. The application is running on an Azure VM and accessed via Virtual Desktop Remote App streaming. Although the Users of the application do not have access to the servers file system I would still like to secure the connection string in a better way. Would using the Azure Key Vault be a good method, if so how would I do that. If not what other method(s) is/are suggested?
Asked
Active
Viewed 154 times
0
-
Only if you can secure the connection string to the Azure Key Vault. – Peter Bons Mar 29 '23 at 13:40
-
Of course, store your connection string as a `secret` in Azure Key Vault. – Anand Sowmithiran Mar 29 '23 at 19:01
1 Answers
0
Thanks to @Peter Bons and @Anand Sowmithiran for leading into right direction.
yes, I agree with them using key vault you can secure your connection string as a secret in azure key vault. AFAIK using key vault is a good approach to secure secrets and adding access to users.
Below are the steps to secure connection string in Azure key vault.
Create Azure Key vault in Azure portal then in left side blade Under Objects select Secrets and click on Generate/import to create a new Secret. Azure Key vault>>Secrets >> + Generate/import.
As Shown in below image enter the details like, Upload options as Manual and then provide a name and value for your secret. For example, you can Name your secret as winformconnectionstring and Secret value as Your DatabaseConnectionString as the value. Click on Create.
you can also set expire date to your connection string if you need. In this way using Key vault Secret you can secure your connection string.
Then by using access polices in azure key vault you can provide access to particular users like who can read/write your secrets.
You can also grant your application access to the Key Vault by assigning a managed identity to the VM where your application is running. Follow below steps for that,
In your crated Azure key vault go to Access polices >> + Create >> Create an access policy>> Permissions . As shown in below image in permissions configure as Secret management and then in secret permissions you can provide which permissions your app/user want perform on connection string key vault.
Then in principal select the principal that you want to grant access to in this case, the managed identity of your VM. (For that you need to enable your system assigned identity and copy that object and enter here as shown in image select your VM.)
Here you can select users email address also to give access to particular users.
Under Access polices you can see the users/application who can access your Secrets.
you can also refer these MS document and SO for Azure Key vault secret library for .NET . It may helps.
vijaya
- 1,525
- 1
- 2
- 6