SecretPropertys 2.0.0

SecretPropertys

A .NET source generator for obfuscating strings in compiled applications.

⚠️ Important: What This Is and Isn't

This is obfuscation, NOT encryption or security.

• ✅ Makes it harder for casual users to find strings with basic tools
• ✅ Hides API keys from simple grep/strings commands

This tool is for: Developers who want basic string obfuscation in desktop/mobile apps to deter casual inspection. Think license keys, non-critical API keys, or configuration that you just don't want visible in plain text.

🚀 Installation

dotnet add package SecretPropertys

📋 How to Use

1. Mark Properties

Add the partial keyword to your class and mark properties with [BuildSecret]:

using SecretPropertys.Attributes;

public partial class Configuration
{
    [BuildSecret("ApiKeySecret")]
    public static string ApiKey { get; private set; }

    [BuildSecret("DatabasePassword")]
    public static string DatabasePassword { get; private set; }
}

2. Provide Values at Build Time

Option A: In your .csproj file

<PropertyGroup>
    <ApiKeySecret>your-api-key-here</ApiKeySecret>
    <DatabasePassword>your-password-here</DatabasePassword>
</PropertyGroup>

<ItemGroup>
    <CompilerVisibleProperty Include="ApiKeySecret" />
    <CompilerVisibleProperty Include="DatabasePassword" />
</ItemGroup>

Option B: Via command line

dotnet build /p:ApiKeySecret=your-api-key /p:DatabasePassword=your-password

3. Use Your Obfuscated Strings

// Values are automatically available at runtime
var client = new ApiClient(Configuration.ApiKey);

🔍 What Actually Happens

1. At build time, the source generator takes your strings
2. It generates lookup tables that obfuscate the strings
3. The obfuscated data is compiled into your assembly
4. At runtime, the generated code de-obfuscates the strings

The strings are not in plain text in your binary, but anyone with a debugger can still extract them at runtime.

⚙️ CI/CD Integration

GitHub Actions:

- name: Build with secrets
  run: dotnet build /p:ApiKeySecret=${{ secrets.API_KEY }}

GitLab CI:

build:
  script:
    - dotnet build /p:ApiKeySecret=$API_KEY

Jenkins:

sh "dotnet build /p:ApiKeySecret=${env.API_KEY}"

🛡️ What About Security?

This Tool Does NOT Protect Against:

• Debuggers - Anyone can attach a debugger and read the strings from memory
• Memory dumps - Strings are in memory when your app runs
• Determined attackers - If someone really wants your secrets, they'll get them
• Static analysis tools - Advanced tools can still find the patterns

📝 Best Practices

✅ DO:

• Use environment variables in production when possible
• Keep build-time secrets secure in your CI/CD system
• Add your secrets to .gitignore if storing in files
• Understand this is obfuscation, not encryption
• Use proper secret management for anything truly sensitive

❌ DON'T:

• Commit plain-text secrets to source control
• Rely on this for security-critical secrets
• Think this makes your secrets "encrypted" or "secure"
• Use this for passwords protecting sensitive data
• Skip proper security practices just because strings are obfuscated

🤔 When Should I Use This?

Good use cases:

• Desktop app with non-critical API keys
• Internal tools where you want basic string hiding
• Obfuscating configuration that isn't security-sensitive

Bad use cases:

• Protecting database passwords for critical data
• Storing payment gateway credentials
• Hiding encryption keys
• Any scenario where real security is required

🔧 Troubleshooting

Q: My properties are empty at runtime

Check that you've:

1. Made your class partial
2. Added the <CompilerVisibleProperty> items
3. Actually provided values during build

Q: Build warnings about missing secrets

The generator will warn you if it can't find values for your [BuildSecret] properties. Make sure you're passing them via command line or project file.

Q: Can I see the generated code?

Add this to your .csproj:

<PropertyGroup>
    <EmitCompilerGeneratedFiles>true</EmitCompilerGeneratedFiles>
    <CompilerGeneratedFilesOutputPath>obj/GeneratedFiles</CompilerGeneratedFilesOutputPath>
</PropertyGroup>

Generated files will appear in obj/GeneratedFiles/.

📄 License

MIT License - See LICENSE file for details.

🤝 Contributing

Contributions welcome! Please understand that this is an obfuscation tool, not a security solution.