User Secrets in ASP.NET Core

07 april 2017  |  
2 min leestijd

You don’t want your passwords and other secrets stored in your source code. Why? A password should not be coupled to a specific version of your application because when a password or other secret needs to be changed, the application must be redeployed. And if your version control system gets hacked, your secrets will leak.

ASP.NET Core has a solution to store secrets outside the repository during development. It’s called user secrets’ and in this post, I’m going to show what they are and how to use them.

Setting up

Create a new ASP.NET Core Web Application for Windows, Linux and macOS.

Install the following NuGet package:

Add following code to the constructor in the startup class.

Create a new class called AppSecrets. You can choose a different name if you like but for this example I’ll use this name. This class contains all the properties, you want to put in your user secrets. You can also use objects as properties.

Add the following line of code to the ConfigureServices method in the startup class.

Adding user secrets

Now we’re done setting things up so it’s time to add a user secret. User secrets are defined in a file called secrets.json which is stored in:
Windows: %APPDATA%\microsoft\UserSecrets\\secrets.json
Linux: ~/.microsoft/usersecrets//secrets.json
Mac: ~/.microsoft/usersecrets//secrets.json

As you can see, the secrets.json file is not stored in your repository. The file is NOT encrypted so user secrets should only be used for development purposes! The easiest way to open and edit the user secrets in Visual Studio is by right clicking your project and clicking ‘manage user secrets’. The UserSecretId, you see in the path is defined in the csproj file or in the project.json if you are using an older version of .NET Core. This id is unique to your app. Changing this id will generate a new, empty secrets.json file.

To add a user secret open the secrets.json file and paste the following code into it.

Retrieving user secrets

Now that we have added a user secret, it’s time to retrieve it in our MVC Controller. The user secrets are retrieved the same way as the Configuration. For this example, I’m using the default HomeController.

Replace the default Index method in the HomeController by the following code:

Paste the following code somewhere in the Views/Home/Index.cshtml.

Now you can see your user secret on the homepage of your app. Off course, normally we wouldn’t show secrets on our webpages, but this is just for demo purposes so you can see it’s working.

Command prompt

The last part is about managing your user secrets from the command prompt. To do this, add the following line of XML to your csproj file between an Item Group element.

Now you can open a command prompt window and navigate to your project folder. There are a couple of commands and I’m going to show some of them.

  • dotnet user-secrets –help
    Executing this command will show you information about the user secrets command line tool.
  • dotnet user-secrets set SecondSecret Password
    Adds a new user secret with the key SecondSecret and value Password to your project.
  • dotnet user-secrets list
    lists all user secrets in your project.
  • dotnet user-secrets remove SecondSecret
    Removes SecondSecret from your project.
  • dot net user-secret clear
    Clears all secrets from your project.
07 april 2017  |  
2 min leestijd


Luminis onderscheidt zich van andere aanbieders in de ICT door een waarde- en klantgedreven aanpak. Wij willen vooruitgang zien, zowel bij onze klanten als bij onze medewerkers. Graag komen we met je in contact om te ontdekken hoe we die kunnen realiseren.


©2019 Luminis Arnhem – Leveringsvoorwaarden

Design: Eyefun