External configuration secrets
9.3. Storing sensitive configuration values externally

Configuration files usually contain sensitive values such as:

  • passwords for database accounts or directory service accounts
  • shared secrets
  • passwords for key stores

Sensitive configuration values should not be shared between instances and stages.

Example

The database password for the productive instance should not be available in the configuration for the test instance. 

Airlock IAM supports storing sensitive configuration values in protected key store files outside the configuration XML.

Options to store values securely

To securely store a sensitive configuration value outside the configuration XML there are several options:

  • Use the Config Editor
  • Use the CLI (command-line-interface)
  • Using standard tools for the key store
  • Using standard mechanisms provided by the container technology (see 6.4. IAM as Docker image)