I've seen many recommendations to versionize configuration management system. How do you suggest one deals with passwords that are needed for application security? Versionize them, too?
I've seen many recommendations to versionize configuration management system. How do you suggest one deals with passwords that are needed for application security? Versionize them, too?
If you are writing passwords in configuration files, it's certainly easier to leave those passwords in when checking the configuration files into revision control. Doing so certainly isn't any less secure than just having them in the configuration file to begin with, as long as appropriate access control is applied to the repository (both permissions on the repository, and filesystem permissions on what the repository uses for its backend). Passwords stored like this are certainly vulnerable, but often you have no choice.
Whenever you are storing passwords, it's best to ensure that they will be encrypted, and access to the encrypted password database is limited. I wouldn't typically use a revision control system for this, as it has a fair bit of overhead and complexity which really serves only to increase your attack surface.
Lots of people store administrative passwords in spreadsheets and in documentation. Don't be like those people unless you enjoy being embarrassed by pentesters.
The best solution is to use software which encrypts the passwords, storing them on an offline system if possible. Lots and lots of software exists for this (and some of it can actively change the passwords for you as required and keep records of historical passwords). Hitachi ID Systems makes an enterprise-grade product for this (disclosure: I used to work for them); keepass and lastpass also come to mind.
If you just need somewhere safe to store passwords & retrieve them occasionally, try a product like Secret Server.
If you're looking to bundle passwords with deployment artefacts as part of automation, then find a tool (like Secret Server) that has an API that will let you query for passwords as you need them & keep them out of (potentially) less secure version control repositories.
If you are using a config mgmt tool like Chef, you could just use encrypted data bags
http://docs.opscode.com/essentials_data_bags_encrypt.html
OTOH, for things that vary by environment, it is better to pass them to automated scripts via the system environment.
http://www.12factor.net/config
Any CI or CD server product should allow you to store the values in encrypted form. e.g. here's the documentation for the product I work for.
http://www.thoughtworks-studios.com/docs/go/current/help/deploy_a_specific_build_to_an_environment.html#secure_variables_section