There is about a year-old thread on the list on the topic of password protecting the Rails database password (typically stored in the clear in database.yml). A lot of people dismissed the idea, since any key to decrypting the password would have to be stored on the same box. I was wondering what people thoughts were on the feasibility/desirability of passing argument to Capistrano deployment tasks that would pass the decrypting key along to the application. In many applications, the database password may not be the only sensitive password on the box. After all, web servers might need to interact with all kinds of different systems, each system requiring its own authentication credentials. So even if you don't think that the MySQL password is all that sensitive, there is still the general issue of leaving sensitive configuration details in plaintext (and embedded in the code) on the server. Any thoughts, help, comments would be appreciated.
on 2007-03-02 18:43