
Ask HN: How do you handle certificate and password dependencies in your code? - wtvp
In order to build or deploy a project, often certificates or passwords are required.<p>Obviously those dependencies should not be explicitly in the project&#x27;s source code.<p>But I believe its still good practice to have them versioned with redundancy from corruption or loss.<p>How do you handle securing those dependencies? And then referencing them in your projects?<p>Often I see developers make them part of the environment, but that implies that it is versioned somewhere (provided your environment is deployable).<p>Or rely on syncing with certificate services (like Apple Developer&#x2F;Xcode), but that isn&#x27;t always available or not easily accessible.
======
msencenb
For webapps with vps backends the recommendation is to use environment
variables. In order to get said environment variables onto the remote machines
I tend to use Ansible in conjunction with ansible-vault for encryption.

~~~
tom_b
My experience using environment variables as recommended above has been
positive. I currently maintain a Clojure web app (a REST server really) and
have found that maintaining configuration options, like a keystore and
keystore password, in environment variables is really nice. Having the _exact_
same code base in dev, test, and production with separate configs specific to
the environment simplifies dev life.

The one issue that has popped up here with the env var approach is that our
system administrators are not used to the idea and this creates friction when
deploying new apps or updated certs.

------
boyter
When in AWS either by using an encrypted s3 bucket with a versioned file and
accessed by applications using roles on the instance they are on or if
hardcore security is required through KMS.

