Dropwizard configuration.yml security issues (where to save and should it contain passwords)

Question

Where should the configuration.yml file of Dropwizard be saved?

I'm using Dropwizard which is a Java web framework. Dropwizard uses configuration.yml files to load in environment specific configuration files. In the example I found online the configuration.yml files contains username and password of databases. Now the question is where to save this configuration files which contain password in plain text.

OPTION 1 GIT REPOSITORY In the example the configuration.yml are part of the project. So one could keep them in the git repository with the rest of the code. This though is a well-known bad security practice. If someone crack the git repository has access to the code and to the database. Also this way every single developer has access to all the passwords of all the environments.

OPTION 2 FILE ON THE COMPUTER Safe the configuration.yml on the machine but do not store on the git repository

OPTION 3 ENVIRONMENT VARIABLES Use configuration.yml file which point to environment variables on the specific machine. This is not so practical since all this environment variables needs to be set manually on all the machines. Also what is the syntax to use ENVIRONMENT VARIABLES in Dropwizard's configuration.yml files?

Answer 1

I'd go with environment variables if you cannot control read access to the config file or are concerned that your machine is owned by an untrusted third party.

Environment variables are trivial to script.

Answer 2

You should use a file on the computer: this is how many frameworks out there work. If you use a unix/linux server you can chmod 0600 [filename] and be sure that nobody (almost nobody as root can do anything) can read that file. On the dropwizard ML it was also cited to use software like puppet/chef to deploy your application and using these frameworks to handle all variables (eg: different configurations for test/staging/production).

Bye Piero