how to securely encrypt values in config files

Question

I am using a config file to store passwords / keys for DB and connection to other services like AWS.

I am using Travis CI for build, and running my tests, and then deploying it to live server.

I would like to encrypt the variables in my config file and only the application should be able to read it. This is the criteria -

1) The application should be able to decrypt it in multiple environments, from the build server to multiple deployment servers.

2) The password used to decrypt the config file is not avalaible to the developers.

The project is in clojure, are there any leiningen plugins / features that will aid in this ?

Thanks, Murtaza

Answer 1

I think the best solution to what you are trying to do is simply to remove the config files from the application source tree. Save the config files to the build and deployment severs and don't give the developers direct access to those.

The chief problem with what you are trying to do is that you are trying to make it impossible for your developers to have access to something but at the same make it possible for something that the developers have complete control over, the application code, to have access to the same thing. That is, for the application to be able to decrypt the configs, the developers have to have access to the decyption keys.

You could try making it only possible to decrypt your configs through tools available only on the build and deployment servers, (ie a Leiningen plugin,) but it would be simpler to just store the config files separately.