Necessity is the mother of invention – that’s basically why I did create a new open source project called Lockbox. Its main purpose is to provide a centralized and secured storage for the application settings that can be easily fetched via HTTP request. Sounds interesting? Then let me guide you through the most important concepts of the Lockbox.


Having nightmares about storing and deplyoing the vulnerable configurations of your applications?

Before we begin, let’s define where the problem lays. Quite often we’re forced to somehow deal with the following scenario: deploy the application to the production server and load the vulnerable settings that should not be available anywhere else (e.g. in code repository) outside this environment. There are different ways to achieve such goal, starting from the most trivial ones like manually updating the application settings on the server, through more robust like storing encrypted files within the repository and so on.
My idea is not new, as it’s heavily based on the very sophisticated project named Vault.
I’ve also realized that quite recently even Azure made available its own Key Vault storage.

Now, you may wonder why on earth did I create my own project if there at least 2 already available and they’re being supported by the huge companies?
Let me quickly answer – simplicity. I wanted to have a one-liner of code (literally) to load my application settings from some secured storage and do not care about configuring anything else. And I think that I did achieve this goal. So let’s move further into the more technical description.

Lockbox was built on top of the .NET Core framework using C# language. It’s fully open source, cross-platform and is also available via Docker Hub.
Under the hood, it does use MongoDB and for the encryption purposes, the Triple DES algorithm is being used.

You can find much more detailed documentation on the repository itself, so I don’t want to follow one of the best programming patterns here (copy-paste). Just a quick remark about the security – the Lockbox does not store encryption keys, which means that even if the database was compromised the attacker will not be able to decrypt the values.
The encryption keys are being passed by the client via custom HTTP Header X-Encryption-Key.

I did mention about simplicity, so here it comes, the sample code which integrates Lockbox with .NET Core application (e.g. MVC).

You might as well remove all of the optional parameters and use environment variables instead. Isn’t that as simple as loading JSON file from your hard drive?

Because Lockbox is merely an HTTP API, you can access it almost from anywhere, for example by using cURL. Just take a look at the API documentation and download the local requests collection available via Postman.

I hope that you will enjoy using Lockbox and find it useful. Feel free to submit any pull requests, issues or simply contribute. I’ll try to do my best to keep this project up to date, but since I’m also working on the new version of the Warden as well as some other side projects, sometimes I just lack time, so any help will be more than welcome!

4 Comments Lockbox

  1. Pingback: Lockbox - my open source project for storing vulnerable app settings. - How to Code .NET

  2. Pingback: Dew Drop - December 5, 2016 (#2376) - Morning Dew

  3. Peter

    Isn’t Triple DES considered broken or at least partly broken (due to meet-in-the-middle attack and chosen-plaintext or known-plaintext attacks)?
    Why would you pick it for new development?


Leave A Comment

Your email address will not be published. Required fields are marked *