How would you store encrypted information in public DVCS repository?

Question

I have projects that multiple developers are working on. We all work off the same git repository.

Currently, I do not store production server configuration in the repository, because the configuration files contain database credentials.

I would like to start storing these configurations in the repository, so I'm thinking about encrypting the configuration files before saving them in the DVCS.

1. What do you guys think about this idea?
2. How would go about doing this?

Answer 1

We encrypt passwords in the configuration files, and the application uses a key entered interactively at runtime to decrypt them. Because of the configuration system we use, only the configuration parser needed modification; the application code itself required no changes.

The main drawback is that we use a public-key algorithm, so that anyone can encrypt a value for the configuration file, but only authorized users can decrypt them. This makes the encrypted values much larger (we use 2048-bit RSA key, and encode with Base-64) and kind of ugly in the configuration files.

We are always careful to encode metadata along with the encrypted value. This identifies the encryption key, the algorithms used, and the parameters needed for the algorithms. That way, we can gracefully change keys or algorithms, migrating over some period of time.

Answer 2

Why do those secrets need to be stored in the public repository?

I would use a completely different mechanism for distributing those secrets, which is only accessible to those admins who need access to them.