You should never put your passwords (or private keys) in source control; it
would be better to use the puppet/bcfg option.
Generally you want to keep your sensitive and less sensitive info separate. If
you have passwords in version control and later want to delete them, you have to
mess with your version control history, and backups, and so on. You really
don't want to compromise the quality of your version control.
And if you ever put passwords in version control, you should change those
passwords, so the copies in version control can be left alone, but no attacker
can use them (assuming those aren't human-chosen and provide clues to discerning
how they choose other newer passwords).
-- Darren Duncan
Shaun Thomas wrote:
Hey,
So, I've searched around through the archives, and it seems this has
come up a couple times in the past. But one scenario that was never
explored was when using one .pgpass file in a cluster of servers, in
which case it makes sense to save it in source control, or something
like puppet/bcfg. So my question is this:
Has anyone come up with a good solution for distributing a .pgpass file
that doesn't expose it to anyone who has access to the distribution
mechanism?
I ask because several people can access and make pull requests to our
configuration management system, but except for .pgpass, none of these
files contain plain-text passwords. We have dozens of systems running
PostgreSQL, and manually setting up each one is a waste of time; we have
configuration management for a reason.
Am I just missing something, here?
Thanks, everyone!
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
