I’m curious how you handle secrets in your production Erlang/OTP application configuration. I do see this other thread about the configs in general, but I’m more curious about the secrets here. I would also like to know what libraries/dependencies/services/tools you use, especially if you pick one of the latter options, if you’re willing and able to share. Finally, feel free to share recommended best practices and associated tools in the comments too, even if you don’t currently follow them, but perhaps wish you did.
- Secrets? What are those? Information wants to be free! I store everything plain text, then include everything needed in config files and ship it along with the release.
- Secrets are stored encrypted elsewhere. Config file is a template. Secrets get retrieved, decrypted and substituted in the config file during the release process. Secrets are included in plain text with the release.
- Secrets are stored encrypted elsewhere. They aren’t included in the release. They get retrieved, decrypted and stored on the host disk or elsewhere on the host before the application starts.
- Secrets are stored encrypted elsewhere. They get retrieved and decrypted by the application during its startup or as needed. They are only decrypted in application memory and aren’t otherwise stored decrypted anywhere else.