Secrets Management (Production Grade)
"A security framework is only as strong as its secrets."
To meet the 2026 Gold Standard, you must not store production keys in appsettings.json. Primus requires several high-entropy keys to function securely.
Required Production Secrets
| Secret Key | Description | Requirement |
|---|---|---|
| PrimusAuth:Security:TokenEncryptionKey | Used for AES-256 session encryption. | 32+ characters, High Entropy. |
| Jwt:Key | Signs internal JWT tokens. | 64+ characters recommended. |
| AzureAd:ClientSecret | Client secret for Microsoft Entra. | Managed by Azure. |
| Okta:ClientSecret | Client secret for Okta. | Managed by Okta. |
Recommended Approaches
1. Azure Key Vault
The most secure way to manage Primus secrets. The app should use a Managed Identity to read secrets at startup.
2. Environment Variables
Set secrets in your CI/CD pipeline and inject them as environment variables.
- Linux:
export PrimusAuth__Security__TokenEncryptionKey="your-secret" - Docker: Use
-eorenv_file.
Startup Guard
The Primus Identity Broker includes a Startup Guard. If you attempt to start the application in a non-development environment with missing or weak keys (under 32 characters), the application will refuse to boot. This prevents accidental deployment of insecure configurations.
Review Log
- 2026-01-30: Upgraded to Platinum standard. Enforced 32-char minimum for encryption keys.