We use a file that's ignored by the scm and we check a template with bogus passwords into our deploy scripts. This let's developers use the deploy scripts to setup their own environments without divulging production env secrets. Ops maintains the official secrets file and it's kept in a central location that only ops has access to.
On May 20, 2009, at 6:27 PM, "S. Robert James" <[email protected]> wrote: > > We have our cap deploy setup to take a new app server from zero to > working, all automatically. > > One issue we're getting stuck with is: Where to store the database > password? > > I'll show you what we thought of, and why we don't like it. I'm sure > some of the pros here have already grappled with this, so I'd like to > here what you say. > > 1. Store in cap deploy files. > PROBLEM: We don't want every developer who ever had access to cap > deploy source to know the passwords. > > 2. Store in file on each server. > PROBLEM: This would require manual setup of a new server. > PROBLEM: Even if we accept to do it manually, in the course of doing > so, it's quite likely that the password will get emailed around. > "Anyone remember the pw to setup a new server? The box is down and I > need to do a replacement quick." > > 3. Use a nonpassword system > Windows supports authentication via user account on a known machine. > I'm not sure how it works, or how secure it is. Haven't found any > simple, secure way to do this via Linux. The ideal would be to tell > the database server "If user rails_app on any of the local machines > wants to connect, they don't need a password." But I'm not sure if > there is a simple and secure way to do this. > > 4. Use some type of encryption > I'm not sure how to use this to solve problems. The key needs to go > somewhere, and so we're back to square one, on where to store the key. > > What do you do? Is there a best practice? What do the large > enterprise / J2EE shops do? > > > --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---
