There is no default place to put application.yml .
Your question seems more like how to improve the security of access to the server that runs the application than in how to hide the user and password of other people.
An example of this is:
The attacker enters the server but does not have the user and password of the database so he keeps listening for the connections, if you do not have https, then it takes the user and password even if it is hidden or elsewhere because the application will need them to connect to the database.
You can choose a system configuration manager like zookeeper , consul or even etcd , but it will fall into the situation I quoted above.
Focus on access to the server and its security and then go after the security of passwords in the application because this second is more complicated than it seems.
Here we have great considerations on how to hide passwords for applications:
-
Hiding shell script passwords here Jenny was the one to write the answer on stackexchange makes considerations ranging from the importance of the information contained in the database to the company, what the financial impact if someone has access to the data, it also speaks of technical aspects as the user you are using is the database administrator or has the correct permissions to execute only what the application needs and so on.
The last item it says is "you can never avoid saving the password somewhere" is that it prompts me to start making your security by the periphery of your application such as: who accesses the server, who can access, who accesses the network, if it is easy to enter the server.
