What is a good way of securing credentials when deploying software to a remote server?

Zen Savona asked:

If I want to deploy some software to a remote server (e.g. Heroku or my own VM with SSH access) via a CI server like Jenkins Atlassian Bamboo, what’s an effective way of keeping things like MySQL passwords safe? My database (potentially) contains some very sensitive information and keeping passwords on the servers of some third party (e.g. Atlassian) keeps me up at night. Ideally I would like it to never touch the third party, but I’d be happy with it merely passing through without being stored.

I realise this is not a very good question for Q/A format, but I’m being as specific as possible.

My answer:

If you don’t want a third party having the credentials, you run your own CI server instead of using a third party server. Easy as that.

Of course, if you host on Heroku, a third party already has your data anyway, and doesn’t really need the credentials to get to it, so…

If you must use the third party server, you use legal agreements where the third party is obliged to protect your confidential data similarly to their own.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.