Storing sensitive configuration values externally

Configuration files usually contain sensitive values such as:

passwords for database accounts or directory service accounts
shared secrets
passwords for key stores

Sensitive configuration values should not be shared between instances and stages. For example, the database password for the productive instance should not be available in the configuration for the test instance.

Airlock IAM supports storing sensitive configuration values in protected keystore files outside the main configuration (iam-config.yaml or medusa-configuration.xml).

Options to store values securely

To securely store a sensitive configuration value outside the main configuration there are several options:

Use the Config Editor
Use the CLI (command-line-interface) iam sensitive-values
Use standard tools for the key store
Use standard mechanisms provided by the container technology (see IAM as Docker image)