diff --git a/documentation/configuration/configuration-sources.md b/documentation/configuration/configuration-sources.md
index 494d78973c6..532cd59a206 100644
--- a/documentation/configuration/configuration-sources.md
+++ b/documentation/configuration/configuration-sources.md
@@ -1,5 +1,8 @@
 # Configuration Sources
 
+> [!IMPORTANT]
+> See [Security Considerations](../security-considerations.md#storing-configuration-secrets) for important information regarding specifying secrets in configuration.
+
 `dotnet monitor` can read and combine configuration from multiple sources. The configuration sources are listed below in the order in which they are read (first is lowest precedence, last is highest precedence):
 
 - Command line parameters
diff --git a/documentation/configuration/egress-configuration.md b/documentation/configuration/egress-configuration.md
index 3a41ed90fb2..565f0ea3c18 100644
--- a/documentation/configuration/egress-configuration.md
+++ b/documentation/configuration/egress-configuration.md
@@ -2,6 +2,9 @@
 
 When `dotnet-monitor` is used to produce artifacts such as dumps or traces, an egress provider enables the artifacts to be stored in a manner suitable for the hosting environment rather than streamed back directly.
 
+> [!IMPORTANT]
+> See [Security Considerations](../security-considerations.md#storing-configuration-secrets) for important information regarding specifying secrets in configuration.
+
 ## Azure blob storage egress provider
 
 | Name | Type | Required | Description |
diff --git a/documentation/security-considerations.md b/documentation/security-considerations.md
index cce9b9c83e0..13e2d37f67f 100644
--- a/documentation/security-considerations.md
+++ b/documentation/security-considerations.md
@@ -17,6 +17,20 @@ When using Azure Active Directory for authentication, the following noteworthy p
 - `roles` will be validated to make sure that the `RequiredRole` configuration option is present.
 - Properties relating to the lifetime of the token will be validated.
 
-## Item 2
+## Storing Configuration Secrets
+
+It is **not recommended** to store secrets such as blob storage keys in JSON configuration. The following are recommendations for how to more securely store your configuration secrets for different platforms:
+
+### Locally
+
+When running locally, a preferred alternative is to specify secrets via environment variables when launching `dotnet monitor`. The following is an example using PowerShell, setting the value of `AzureBlobStorage__monitorBlob__AccountKey` prior to beginning collection:
+
+```pwsh
+$env:Egress__AzureBlobStorage__monitorBlob__AccountKey = "accountKey"; dotnet-monitor collect
+```
+
+### Kubernetes
+
+For Kubernetes, a preferred alternative is to mount your secrets in the file system with restricted access - for more information and an example of how to do this, view the [Kubernetes documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume). For additional information on how secrets work in Kubernetes, view the following [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret).
 
 ## Item 3