-->
Mac OS X Secrets. Macworld Sep 30, 2001 5:00 pm PDT. As far as the classic Mac OS is concerned, a user is a user is a user. But the Unix core of Mac OS X introduces different. Defaults-write.com is a website dedicated to unveil hidden and secret Mac OS X Features. Provide your Mac with additional features.
By Rick Anderson, Kirk Larkin, Daniel Roth, and Scott Addie
View or download sample code (how to download)
This document explains how to manage sensitive data for an ASP.NET Core app on a development machine. Never store passwords or other sensitive data in source code. Production secrets shouldn't be used for development or test. Secrets shouldn't be deployed with the app. Instead, production secrets should be accessed through a controlled means like environment variables or Azure Key Vault. You can store and protect Azure test and production secrets with the Azure Key Vault configuration provider.
Environment variables
Environment variables are used to avoid storage of app secrets in code or in local configuration files. Environment variables override configuration values for all previously specified configuration sources.
Consider an ASP.NET Core web app in which Individual User Accounts security is enabled. A default database connection string is included in the project's appsettings.json file with the key DefaultConnection. The default connection string is for LocalDB, which runs in user mode and doesn't require a password. During app deployment, the DefaultConnection key value can be overridden with an environment variable's value. The environment variable may store the complete connection string with sensitive credentials.
Warning
Environment variables are generally stored in plain, unencrypted text. If the machine or process is compromised, environment variables can be accessed by untrusted parties. Additional measures to prevent disclosure of user secrets may be required.
The : separator doesn't work with environment variable hierarchical keys on all platforms. __, the double underscore, is:
- Supported by all platforms. For example, the
:separator is not supported by Bash, but__is. - Automatically replaced by a
:
Secret Manager
The Secret Manager tool stores sensitive data during the development of an ASP.NET Core project. In this context, a piece of sensitive data is an app secret. App secrets are stored in a separate location from the project tree. The app secrets are associated with a specific project or shared across several projects. The app secrets aren't checked into source control.
Warning
The Secret Manager tool doesn't encrypt the stored secrets and shouldn't be treated as a trusted store. It's for development purposes only. The keys and values are stored in a JSON configuration file in the user profile directory.
How the Secret Manager tool works
The Secret Manager tool hides implementation details, such as where and how the values are stored. You can use the tool without knowing these implementation details. The values are stored in a JSON file in the local machine's user profile folder:
File system path:
%APPDATA%MicrosoftUserSecretssecrets.json
File system path:
~/.microsoft/usersecrets//secrets.json
In the preceding file paths, replace with the UserSecretsId value specified in the project file.
Don't write code that depends on the location or format of data saved with the Secret Manager tool. These implementation details may change. For example, the secret values aren't encrypted, but could be in the future.
Enable secret storage
The Secret Manager tool operates on project-specific configuration settings stored in your user profile.
The Secret Manager tool includes an init command in .NET Core SDK 3.0.100 or later. To use user secrets, run the following command in the project directory:
The preceding command adds a UserSecretsId element within a PropertyGroup of the project file. By default, the inner text of UserSecretsId is a GUID. The inner text is arbitrary, but is unique to the project.
In Visual Studio, right-click the project in Solution Explorer, and select Manage User Secrets from the context menu. This gesture adds a UserSecretsId element, populated with a GUID, to the project file.
Set a secret
Define an app secret consisting of a key and its value. The secret is associated with the project's UserSecretsId value. For example, run the following command from the directory in which the project file exists:
In the preceding example, the colon denotes that Movies is an object literal with a ServiceApiKey property.
The Secret Manager tool can be used from other directories too. Use the --project option to supply the file system path at which the project file exists. For example:
JSON structure flattening in Visual Studio
Visual Studio's Manage User Secrets gesture opens a secrets.json file in the text editor. Replace the contents of secrets.json with the key-value pairs to be stored. For example:
The JSON structure is flattened after modifications via dotnet user-secrets remove or dotnet user-secrets set. For example, running dotnet user-secrets remove 'Movies:ConnectionString' collapses the Movies object literal. The modified file resembles the following JSON:
Set multiple secrets
A batch of secrets can be set by piping JSON to the set command. In the following example, the input.json file's contents are piped to the set command.
Open a command shell, and execute the following command:
Open a command shell, and execute the following command:
Access a secret
To access a secret, complete the following steps:
Register the user secrets configuration source
The user secrets configuration provider registers the appropriate configuration source with the .NET Configuration API.
The user secrets configuration source is automatically added in Development mode when the project calls CreateDefaultBuilder. CreateDefaultBuilder calls AddUserSecrets when the EnvironmentName is Development:
When CreateDefaultBuilder isn't called, add the user secrets configuration source explicitly by calling AddUserSecrets in ConfigureAppConfiguration. Call AddUserSecrets only when the app runs in the Development environment, as shown in the following example:
Read the secret via the Configuration API
If the user secrets configuration source is registered, the .NET Configuration API can read the secrets. Constructor injection can be used to gain access to the .NET Configuration API. Consider the following examples of reading the Movies:ServiceApiKey key:
Startup class:
Razor Pages page model:
For more information, see Access configuration in Startup and Access configuration in Razor Pages.
Map secrets to a POCO
Mapping an entire object literal to a POCO (a simple .NET class with properties) is useful for aggregating related properties.
Assume the app's secrets.json file contains the following two secrets:
To map the preceding secrets to a POCO, use the .NET Configuration API's object graph binding feature. The following code binds to a custom MovieSettings POCO and accesses the ServiceApiKey property value:
The Movies:ConnectionString and Movies:ServiceApiKey secrets are mapped to the respective properties in MovieSettings:
String replacement with secrets
Storing passwords in plain text is insecure. For example, a database connection string stored in appsettings.json may include a password for the specified user:
A more secure approach is to store the password as a secret. For example:
Remove the Password key-value pair from the connection string in appsettings.json. For example:
The secret's value can be set on a SqlConnectionStringBuilder object's Password property to complete the connection string:
List the secrets
Assume the app's secrets.json file contains the following two secrets:
Run the following command from the directory in which the project file exists:
The following output appears:
In the preceding example, a colon in the key names denotes the object hierarchy within secrets.json.
Remove a single secret
Assume the app's secrets.json file contains the following two secrets:
Run the following command from the directory in which the project file exists:
The app's secrets.json file was modified to remove the key-value pair associated with the MoviesConnectionString key:
dotnet user-secrets list displays the following message:
Remove all secrets
Assume the app's secrets.json file contains the following two secrets:
Run the following command from the directory in which the project file exists:
All user secrets for the app have been deleted from the secrets.json file:
Running dotnet user-secrets list displays the following message:
Additional resources
- See this issue for information on accessing user secrets from IIS.
By Rick Anderson, Daniel Roth, and Scott Addie
View or download sample code (how to download)
This document explains how to manage sensitive data for an ASP.NET Core app on a development machine. Never store passwords or other sensitive data in source code. Production secrets shouldn't be used for development or test. Secrets shouldn't be deployed with the app. Instead, production secrets should be accessed through a controlled means like environment variables or Azure Key Vault. You can store and protect Azure test and production secrets with the Azure Key Vault configuration provider.
Environment variables
Environment variables are used to avoid storage of app secrets in code or in local configuration files. Environment variables override configuration values for all previously specified configuration sources.
Consider an ASP.NET Core web app in which Individual User Accounts security is enabled. A default database connection string is included in the project's appsettings.json file with the key DefaultConnection. The default connection string is for LocalDB, which runs in user mode and doesn't require a password. During app deployment, the DefaultConnection key value can be overridden with an environment variable's value. The environment variable may store the complete connection string with sensitive credentials.
Warning
Environment variables are generally stored in plain, unencrypted text. If the machine or process is compromised, environment variables can be accessed by untrusted parties. Additional measures to prevent disclosure of user secrets may be required.
The : separator doesn't work with environment variable hierarchical keys on all platforms. __, the double underscore, is:
- Supported by all platforms. For example, the
:separator is not supported by Bash, but__is. - Automatically replaced by a
:
Secret Manager
The Secret Manager tool stores sensitive data during the development of an ASP.NET Core project. In this context, a piece of sensitive data is an app secret. App secrets are stored in a separate location from the project tree. The app secrets are associated with a specific project or shared across several projects. The app secrets aren't checked into source control.
Warning
The Secret Manager tool doesn't encrypt the stored secrets and shouldn't be treated as a trusted store. It's for development purposes only. The keys and values are stored in a JSON configuration file in the user profile directory.
How the Secret Manager tool works
The Secret Manager tool hides implementation details, such as where and how the values are stored. You can use the tool without knowing these implementation details. The values are stored in a JSON file in the local machine's user profile folder:
File system path:
%APPDATA%MicrosoftUserSecretssecrets.json
File system path:
~/.microsoft/usersecrets//secrets.json
In the preceding file paths, replace with the UserSecretsId value specified in the project file.
Don't write code that depends on the location or format of data saved with the Secret Manager tool. These implementation details may change. For example, the secret values aren't encrypted, but could be in the future.
Enable secret storage
The Secret Manager tool operates on project-specific configuration settings stored in your user profile.
To use user secrets, define a UserSecretsId element within a PropertyGroup of the project file. The inner text of UserSecretsId is arbitrary, but is unique to the project. Developers typically generate a GUID for the UserSecretsId.
Tip
In Visual Studio, right-click the project in Solution Explorer, and select Manage User Secrets from the context menu. This gesture adds a UserSecretsId element, populated with a GUID, to the project file.
Set a secret
Define an app secret consisting of a key and its value. The secret is associated with the project's UserSecretsId value. For example, run the following command from the directory in which the project file exists:
In the preceding example, the colon denotes that Movies is an object literal with a ServiceApiKey property.
The Secret Manager tool can be used from other directories too. Use the --project option to supply the file system path at which the project file exists. For example:
JSON structure flattening in Visual Studio
Visual Studio's Manage User Secrets gesture opens a secrets.json file in the text editor. Replace the contents of secrets.json with the key-value pairs to be stored. For example:
The JSON structure is flattened after modifications via dotnet user-secrets remove or dotnet user-secrets set. For example, running dotnet user-secrets remove 'Movies:ConnectionString' collapses the Movies object literal. The modified file resembles the following JSON:
Set multiple secrets
A batch of secrets can be set by piping JSON to the set command. In the following example, the input.json file's contents are piped to the set command.
Open a command shell, and execute the following command:
Open a command shell, and execute the following command:
Access a secret
The Configuration API provides access to user secrets.
If your project targets .NET Framework, install the Microsoft.Extensions.Configuration.UserSecrets NuGet package.
In ASP.NET Core 2.0 or later, the user secrets configuration source is automatically added in development mode when the project calls CreateDefaultBuilder. CreateDefaultBuilder calls AddUserSecrets when the EnvironmentName is Development:
When CreateDefaultBuilder isn't called, add the user secrets configuration source explicitly by calling AddUserSecrets in the Startup constructor. Call AddUserSecrets only when the app runs in the Development environment, as shown in the following example:
User secrets can be retrieved via the .NET Configuration API:
Map secrets to a POCO
Mapping an entire object literal to a POCO (a simple .NET class with properties) is useful for aggregating related properties.
Assume the app's secrets.json file contains the following two secrets:
To map the preceding secrets to a POCO, use the .NET Configuration API's object graph binding feature. The following code binds to a custom MovieSettings POCO and accesses the ServiceApiKey property value:
The Movies:ConnectionString and Movies:ServiceApiKey secrets are mapped to the respective properties in MovieSettings:
String replacement with secrets
Storing passwords in plain text is insecure. For example, a database connection string stored in appsettings.json may include a password for the specified user:
A more secure approach is to store the password as a secret. For example:
Remove the Password key-value pair from the connection string in appsettings.json. For example:
The secret's value can be set on a SqlConnectionStringBuilder object's Password property to complete the connection string:
List the secrets
Assume the app's secrets.json file contains the following two secrets:
Run the following command from the directory in which the project file exists:
The following output appears:
In the preceding example, a colon in the key names denotes the object hierarchy within secrets.json.
Remove a single secret
Assume the app's secrets.json file contains the following two secrets:
Run the following command from the directory in which the project file exists:
The app's secrets.json file was modified to remove the key-value pair associated with the MoviesConnectionString key:
Running dotnet user-secrets list displays the following message:
Remove all secrets
Secret Mac Startup Keys
Assume the app's secrets.json file contains the following two secrets:
Run the following command from the directory in which the project file exists:
All user secrets for the app have been deleted from the secrets.json file:
Running dotnet user-secrets list displays the following message:
Additional resources
- See this issue for information on accessing user secrets from IIS.
With any new Macintosh book, I evaluate its worth on how quickly I can locate valuable information that I can use immediately. Macworld Mac Secrets, Fourth Edition, by David Pogue and Joseph Schorr, rewarded me with these morsels:
I was helping a friend do diagnostic work on her Quadra 605 and PowerBook 140. I learned that the Quadra 605 is identical to the LC 475 and the Performa 475, including the 68LC040 chip, which gave me a useful frame of reference; and that the PowerBook 140 runs at 16 MHz on a 68030 chip, which helps explain the speed discrepancy from her Quadra.
- In the chapter on ClarisWorks word processing secrets, I learned several new features about the 'wonderfulness of ClarisWorks Click-and-Drop' and that 'amazing Font menu.' The Option key triggers all sorts of tricks in ClarisWorks' humble list of fonts!
The word 'secrets' is appropriate to about one third of the information in the book. The other two thirds consist of useful general knowledge about all aspects of the Macintosh, plus helpful tips and tricks to boost your Mac productivity and enjoyment.
Mac Os Secrets
Lots of Book for the Buck — Mac Secrets consists of three components: the massive book (1,208 pages), a respectably packed CD-ROM disk (550 MB), and a Web site for updates to the book and the bundled software. This edition is quite current, demonstrated by a reference to Mac OS 7.6's new installer, and, ironically, to rumors of Apple's potential liaison with Be, Inc.
The authors describe the fourth edition by stating that 'everything's different, nothing's changed.' The format and feel are consistent with earlier editions, but the look is cleaner and easier to read. On the CD, the custom folder icons from previous editions have been replaced by 'plain, boring, ordinary' folders, so they open rapidly.
Pogue and Schorr offer a diversified presentation, including conventional text and occasional entertaining back-and-forth dialogues, plus sidebars of secrets, true facts, case histories, and 'Answer Man' solutions. The book is peppered with bulleted bonuses, such as Speed Tips, Exclusives, On the CD, Strange but True, and Worth Learning. For example, one tip worth exploring is 'The Golden Troubleshooting Rule: A Clean Install,' which explains the benefits of installing all generations of Mac system software from scratch, instead of on top of an existing System.
Chapter 4 is an outstanding, mini-encyclopedia on control panels and extensions, including 'The Ultimate Extension-Linking Guide.' Troubleshooting your Mac is covered in an excellent 30-page chapter. An extensive glossary and index help readers locate and understand terms, concepts, and the secrets themselves.
More Than Just a Book — Is this a book or a software package? Pogue and Schorr understand that 'despite the countless hours your cheerful authors have spent researching and writing this book, you may well consider the software supplied with this book to be the main course.' They're not kidding: a total of 110 different shareware, freeware, and commercial programs and demos fill up the CD-ROM, and the book uses 58 pages explains the software in detail.
A few fully functional titles include: CanOpener, Claris Emailer, DiskFit Direct, TechTool, TypeIt4Me, Remember?, Cyberdog, OpenDoc, and QuickTime. The CD is a veritable software library kept up to date via the book's Web site. (Discount coupons for upgrades and full versions of many commercial applications are also provided.)
Joyride on the dead persons road mac os. On the CD, the software is conveniently listed by chapter, category, author, and a few more groupings, aliased to the Complete Software List. The entire text of the book is on the CD, in searchable Adobe Acrobat format.
Macworld Mac Secrets is extensive, but no doubt there are Mac secrets that didn't make it into the manuscript. The co-authors are conducting a 1997 contest for the 50 best undocumented Mac secrets, with one $500 top cash prize and 50 free books awarded (with credit to the winners).
Macworld Mac Secrets is a good value for the money that will receive plenty of use either as an addition to your library or as a gift. I give this book my highest recommendation, especially for intermediate-level Macintosh users.
Macworld Mac Secrets, 4th Edition, David Pogue and Joseph
Schorr, ISBN 0-7645-4006-8. $44.95 U.S., $62.99 Canadian.
Secret Macos Commands
IDG Books Worldwide, Inc. — 800/762-2974 — 800-667-1115
(Canada) — <[email protected]> (international)
