How do I store passwords in environment variables (and remove them from version control)?

2

I'm migrating from a local tfs to a private git (probably bitbucket). Today I simply encrypt webconfig, now I will have to get my sensitive version control data (connection string, passwords, etc.).

How do you do? Environment Variables?

As probably the answer is yes, every time you need to add or edit a key, I go to the infra-man and it adds "on hand"?

What about the organization of these variables? One variable for each key? At the user level? Should I encrypt in any way?

In case I use jenkins, deploy is automated. But I'm studying improvements in the process. I believe that the jenkins permissions do not allow changing environment variables, so the issue of the face of the infra.

I'm also intrigued at how azure create the variables / settings, how does azure do to change the environment veriáveis by the site / app? Could I (should) simulate this on my systems too?

    
asked by anonymous 18.07.2016 / 19:58

1 answer

2
  

How do you do? Environment Variables?

If you already encrypt your web.config , you do not have to worry about information security, right?

Basically, only encryption already resolves the security issue, but this assuming you are using this method .

  

As probably the answer is yes, every time you need to add or edit a key, I go to the infra-man and it adds "on hand"?

It is not good practice to leave this with the infra. It is best to leave the configuration of variables within your system, using some form of internal encryption if this is the case.

  

What about the organization of these variables? One variable for each key? At the user level? Should I encrypt in any way?

  • One variable for each key;
  • At user level it is better to put in database, not in system;
  • Encrypt if possible.
  

How does azure do to change the environment veriáveis by the site / app?

Normally it is not Azure that does this modification, but rather a process called Transformation of Web.config .

Note that your Visual Studio generates, in addition to Web.config , Web.Release.config and Web.Debug.config . These last two files are responsible for having the setting that turns your Web.config into a modified file when published.

  

Could I (should) simulate this in my systems too?

This is simple to simulate. See the following answers where I explain this:

25.07.2016 / 20:11