Dropwizard configuration file security

Question

A configuration file (.yml) is being used for a rest api developed with Dropwizard (0.9.2 - latest release). Most of the credentials needed by the api such as database passw

Answer 1

I just looked for the solution for the similar issue. I want to find an solution to not include the keystore password in the config file. Finally I got an solution for it.

Just stored credential keys in the config file. And then use a substitutor to replace the keys with it's related values. But this need a secure key value services to get the values of the keys.

Overriding server connector config with env variables with dropwizard

Answer 2

Yes, it's not secure indeed. Even worse if the configuration file is committed to a public repository or for that matter any repository (version control). One way which I follow is to maintain a local copy (not to be committed to any repository) of the config (.yml) file which has all the sensitive keys & details etc and maintain another example config file which has the sensitive details masked (some dummy strings instead of actual values). This example config can be committed to your repository as it has sensitive details masked.

For all purposes of running your code locally or elsewhere use the local config file. This way you don't risk it to exposing sensitive data on a repository. There is an overhead though in keeping your example config in sync with your local copy whenever you make any modifications.