# Visual Studio Solution Secrets v2.0 As mentioned in my [previous post](https://devnotes.ernstc.net/visual-studio-solution-secrets) about the first release of Visual Studio Solution Secrets, as a good practice in DevOps, you must not store secrets (sensitive data like passwords, connection strings, access keys, etc.) in your source code that is committed in a shared repository and secrets must not be deployed with the apps. This tool works with the [User Secrets Manager](https://learn.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-6.0&tabs=windows#secret-manager) for helping you to maintain your secrets out of the solutions folder and helps you to synchronize secrets on all your development machines. While User Secrets Manager works at the project level, Visual Studio Solution Secrets works on solutions and manage secrets synchronization for every project of the solution. This new release adds more flexibility and control on secrets synchronization and opens a new scenario where you can safely share and synchronize secrets within your development team. **Visual Studio Solution Secrets** synchronizes secret settings through the cloud quickly and securely. The idea is to use a **secure** repository in the cloud for storing secret settings so that when you change the development machine, you don't have to copy any files from the old one. Just install the tool, configure it and pull the solutions secrets on your new machine and you are ready to code. ***It's fast!*** Visual Studio Solution Secrets support two kinds of remote repositories: * GitHub Gists * Azure Key Vault ## GitHub Gists A "gist" is a snippet of code that can either be public or secret. Visual Studio Solution Secrets uses only **secret** gists. GitHub Gists is the default repository used by Visual Studio Solution Secrets for storing solutions secrets. Secrets are collected, **encrypted** and pushed on your GitHub account in a **secret gist**, so that only you can see them. The encryption key is generated from a passphrase or a key file that you specify during the one-time initialization phase of the tool. GitHub Gists fits very well for personal use. ![Concept](https://raw.githubusercontent.com/ernstc/VisualStudioSolutionSecrets/main/media/github-flow.png align="left") ## Azure Key Vault Azure Key Vault is a cloud service for securely storing and accessing secrets. Secrets are encrypted at rest and can be accessed only by authorized accounts. No one else can read their contents. Since the secrets are encrypted at rest and communication with the key vault is secure because it is enforced as HTTPS / TLS 1.2, Visual Studio Solution Secrets does not encrypt the secrets by itself before sending them to the key vault, therefore it is not necessary to use the encryption key on the local machine. This opens the scenario in which you can share the secrets of the solution with the development team. You just need to authorize the team with read or read/write access to the Azure Key Vault secrets, so that the team can pull secrets. Azure Key Vault fits better for enterprise use and **is the recommended way for sharing solution secrets within the team.** You can read the Azure Key Vault documentation [here](https://learn.microsoft.com/en-us/azure/key-vault/general/overview) ![Concept](https://raw.githubusercontent.com/ernstc/VisualStudioSolutionSecrets/main/media/azurekv-flow.png align="left") # How to install The tool is installed using the **dotnet** command line interface: ```shell dotnet tool install --global vs-secrets ``` For upgrading to the latest version, use the command: ```shell dotnet tool update --global vs-secrets ``` # Configure the encryption key and authorizations In case you use GitHub Gists as secrets repository, after the tool is installed, you need to create the encryption key and then authorize the use of your GitHub Gists. > The local encryption key is not necessary with Azure Key Vault. Create the encryption key from a passphrase: ```shell vs-secrets init -p ``` Otherwise, you can create the encryption key from a key file with the command below: ```shell vs-secrets init --keyfile ``` In case the encryption key is compromised you can change it. ```shell vs-secrets change-key --passphrase vs-secrets change-key --keyfile ``` When you change the encryption key with one of the above commands, any secret already encrypted on GitHub Gists is re-encrypted with the new key. In this way the compromised key becomes useless. # Repository configuration As said, GitHub Gists is the default repository, but in case you need it, any solution can use a different repository for storing its secret settings. > For example, you can set up your projects to use GitHub Gists and work projects to use Azure Key Vault. For configuring the solution to use GitHub Gists: ```shell vs-secrets configure --repo github ``` For configuring the solution to use Azure Key Vault: ```shell vs-secrets configure --repo azurekv --name ``` The `--name` option works only for Azure Key Vault repositories and can accept the key vault URI (ex: `https://my-keyvault.vault.azure.net`) or the resource name (ex: `my-keyvault`). In case you use the key vault resource name, it is then completed in its URI (ex: `my-keyvault` => `https://my-keyvault.vault.azure.net`). For changing the default repository, use one of the commands below: ```shell vs-secrets configure --default --repo github vs-secrets configure --default --repo azurekv --name ``` Sometimes you need to check what is the default repository, or if the solution has a custom repository configuration. The command `configure list` serves this purpose. ```shell vs-secrets configure list [] [--all] ``` # Push solution secrets For pushing the secrets of the solution in the current folder: ```shell vs-secrets push ``` For pushing the secrets of the solution in another folder: ```shell vs-secrets push ``` For pushing the secrets of all the solutions in a folder tree: ```shell vs-secrets push --all vs-secrets push --all ``` # Pull solution secrets For pulling the secrets of the solution in the current folder: ```shell vs-secrets pull ``` For pulling the secrets of the solution in another folder: ```shell vs-secrets pull ``` For pulling the secrets of all the solutions in a folder tree: ```shell vs-secrets pull --all vs-secrets pull --all ``` # Utility commands ## Search for solutions that use secrets You can use the tool for just search solutions and projects that use secrets ```shell vs-secrets search [] [--all] ``` ## Checking the status With the `status` command you can check for the status of the tool. The command below checks if the encryption key has been defined and if the tool has been authorized to access GitHub Gists: ```shell vs-secrets status ``` If the current folder contains a solution, the `status` command will show also the synchronization status for the secrets of the solutions. Optionally you can check the synchronization status in another folder specifying the folder path or in an entire folder tree adding the `--all` parameter. Here are some examples: ```shell vs-secrets status --all vs-secrets status c:\projects\my-project-folder vs-secrets status c:\projects --all ``` ## Clear secret settings from the local machine If there are secrets that you need to clear locally, the `clear` command erases the solution secrets from the local machine. It is equivalent to applying the command `dotnet user-secrets clear` to each project in the solution. ```shell vs-secrets clear vs-secrets clear .\my-solution.sln ``` # Configuration files Visual Studio Solution Secrets stores its configuration files in the machine's user profile folder. | Platform | Path | | --- | --- | | Windows | `%APPDATA%\Visual Studio Solution Secrets` | | macSO | `~/Library/Application Support/Visual Studio Solution Secrets` | | Linux | `~/.config/Visual Studio Solution Secrets` | The files generated by the tool are listed below. | File | Description | | --- | --- | | cipher.json | Contains the encryption key | | github.json | Contains the access token for managing user's GitHub Gists | | configuration.json | Contains the settings for the repository to use by default and for each solution configured with the command `configure` | --- *Visual Studio Solution Secrets* is a free open source tool and its code is available on [GitHub](https://github.com/ernstc/VisualStudioSolutionSecrets).