We've all done this at least once during development or for some demos we'll store some secret key in our web.config then commit by mistake in a public repo (even in private repo... not s bad but still bad). This has gotten so bad that if you commit what looks like an Azure secret key in a public repo, you will eventually receive (few minutes to few hours after commit) an email from Microsoft stating that your repo contains what looks like a secret key and you should think about disable it !!!!

Enter the SecretManager

When developing a new web project using ASP.NET core you now have at your fingertips a SecretManager that stores on your machine those secret value that must NOT be commited.

The beauty of the SecretManager is that you won't need to change anything in your development code vs deployment code.

Setting it up

If it's not already present in your project you will need to setup it up .... so here it goes:
  • At the root of project.json add a key "userSecretsId" with a unique value (GUID) like so projectName-GUID
  • in project.json add a dependency on "Microsoft.Extensions.Configuration.UserSecrets": "1.0.0"
  • In project.json in the root node add "Microsoft.Extensions.SecretManager.Tools": "1.0.0-preview2-final" (current version as of 2016-10-06)
  • run dotnet restore
Make sure that SecretManager is ready by running this command :
dotnet user-secrets -h
If you get an error message it's probably because you are in the wrong folder (like I did), this command must be run in the project folder otherwise you must specify the project full path by adding --project "project\full\path"

Using the SecretManager

In using the SecretManager we'll continue to access our secret key just like they we're in the web.config. So the line of code is still valid

var value = Configuration["Auth:Google:Id"];

Make sure that in Startup.cs you have this block of code:
if (env.IsDevelopment())

Storing values in SecretManager

Alright so our SecretManager is setup, we can read from it (using the Configuration class as we are used to), but now how to we store values in the SecretManager

dotnet user-secrets set Auth:Google:Id ValueOfId

Dont't forget to run this command from the project folder or to specify to project full path by using --project


  • Currently (2016-10-06) the values stored in the SecretManager are not encrypted
  • You will still need to provide the production values for production (azure application settings or some other form)

Good Coding