Proper way to hide API keys in Git

Question 1

I figured another solution now which is not perfect but still good enough for me, example:

APIKeys.cs file:

public static partial class APIKeys
{
    public static readonly string ImgurClientID = "";
    public static readonly string ImgurClientSecret = "";
    public static readonly string GoogleClientID = "";
    public static readonly string GoogleClientSecret = "";
    public static readonly string PastebinKey = "";
    ...
}

APIKeysLocal.cs file:

public static partial class APIKeys
{
    static APIKeys()
    {
        ImgurClientID = "1234567890";
        ImgurClientSecret = "1234567890";
        GoogleClientID = "1234567890";
        GoogleClientSecret = "1234567890";
        PastebinKey = "1234567890";
        ...
     }
}

Ignore APIKeysLocal.cs file in Git and people who don't have this file can still be able to compile project if they remove this file from solution explorer.

I also automatically create empty APIKeysLocal.cs file if it is not already exists using project pre build event:

cd $(ProjectDir)APIKeys\

if not exist APIKeysLocal.cs (
    type nul > APIKeysLocal.cs
)

That way user don't need to do anything to be able to compile project.

Question 2

Accept that you cannot hide unencrypted private keys in a public space.

What you can do is move the keys to a private space, and then reference that private space from code.

Your private space might be environment variables or the Windows registry, it should be something outside the source code of your app.

Another approach is to create a new config file (e.g. keys.config) specifically for storing private keys, and then exclude this file from source control.

This means you don't share your private keys, but it also means that you need to document (perhaps in readme.md) that users will need to recreate their own keys.config. Even better (thanks @Joey) is to include a sample config file (keys.sample.config) in the solution, illustrating what's needed.

Here is an example

Question 3

You've got two options:

Tell Git to ignore changes to APIKeys.cs on your local machine:
```
git update-index --skip-worktree APIKeys.cs
```
This will cause local changes not to get committed. If you ever do want to commit changes to the file, you'll have to undo this with the --no-skip-worktree flag.
Rename the APIKeys.cs file to something like APIKeys.template.cs, containing the blank strings that you want to share. Keep this file in your repository. Copy that file to APIKeys.cs. Add APIKeys.cs to your .gitignore. Add instructions to copy the template file and modify with local settings.
```
git mv APIKeys.cs APIKeys.template.cs
$EDITOR APIKeys.template.cs
git commit
cat APIKeys.cs >> .gitignore
cp APIKeys.template.cs APIKeys.cs
```

Question 4

Isn't this very similar to the problem of injecting a build number into your component? The way I do that is to have a pre-build step that generates a file called AssemblyVersionInfo.cs based on some environment variable. You could do the same thing with your API Keys.

In the pre-build step for the component that compiles in the API keys put something like this:-

if not defined API_KEY set API_KEY=DEFAULT_KEY
echo public class ApiKeys>"$(SolutionDir)src\ApiKeys.cs"
echo {>>"$(SolutionDir)src\ApiKeys.cs"
echo public const string Key="%API_KEY%";>>"$(SolutionDir)src\ApiKeys.cs"
echo }>>"$(SolutionDir)src\ApiKeys.cs"

Then you set either a user or system environment variable on your local machine with the real key in it.

setx API_KEY THE_REAL_KEY

To avoid Git wanting to commit the file just add it to the .gitignore.