views:

189

answers:

2

Hello Everyone,

I have projects that multiple developers are working on. We all work off the same git repository.

Currently, I do not store production server configuration in the repository, because the configuration files contain database credentials.

I would like to start storing these configurations in the repository, so I'm thinking about encrypting the configuration files before saving them in the DVCS.

  1. What do you guys think about this idea?
  2. How would go about doing this?
+4  A: 

Why do those secrets need to be stored in the public repository?

I would use a completely different mechanism for distributing those secrets, which is only accessible to those admins who need access to them.

ndim
Like what?.....
tarasm
Like a separate repo with just the secret config files with admin-only access to the whole repo. Or whatever else sysadmins use for that stuff. Puppet and its software configuration brethren come to mind. This is getting more in sysadmin territory than in programming territory, though.
ndim
That could be a solution actually because then I could version control the settings, but they would be versioned separately from the source code, which is a problem.
tarasm
Why is them being versioned separately a problem? Do your server passwords or certificates change suddenly when someone fixes a one-off bug in some array handling in the user interface?
ndim
+1  A: 

We encrypt passwords in the configuration files, and the application uses a key entered interactively at runtime to decrypt them. Because of the configuration system we use, only the configuration parser needed modification; the application code itself required no changes.

The main drawback is that we use a public-key algorithm, so that anyone can encrypt a value for the configuration file, but only authorized users can decrypt them. This makes the encrypted values much larger (we use 2048-bit RSA key, and encode with Base-64) and kind of ugly in the configuration files.

We are always careful to encode metadata along with the encrypted value. This identifies the encryption key, the algorithms used, and the parameters needed for the algorithms. That way, we can gracefully change keys or algorithms, migrating over some period of time.

erickson