I'm developing a web app using .NET Core MVC and while Secrets.json works fine for local development, I know it isn't suitable for production. Once I deploy my app on Azure, I'm wondering if I really need to invest in Azure Key Vault for storing sensitive information like OAuth2 client IDs and AES encryption keys, or if environment variables would be secure enough. I'm new to Azure, so I'm looking for guidance on best practices here!
5 Answers
I wouldn't recommend just relying on environment variables. While they are somewhat secure, Key Vault provides versioning, expiration, and better management for secrets, especially if you're working on multiple apps or microservices. Trust me, you'll regret not using it when you need to update secrets frequently!
Using environment variables alone is risky, especially for sensitive secrets. It's true, you could get away with it for a while, but Key Vault is definitely the better option for maintaining good security practices.
This isn't a dumb question at all! There are various places to store sensitive information, but they each have different security levels. You can store secrets in AppSettings, which can be encrypted, but using Key Vault is definitely cleaner and more secure in the long run.
To answer your question about costs—it's really minimal compared to the convenience and security it offers. You probably won't even notice it in your billing! Make sure to consider the long-term benefits over short-term savings.
Definitely go for Key Vault! It's super affordable, and you won't even notice the cost when you load your secrets once your app starts. Protecting your secrets is crucial, and Key Vault makes that easy without breaking the bank.
I get it, cutting costs seems tempting, but when it comes to security, it's worth investing in the right tools! We've had great experiences using Key Vault at work.