I'm working on upgrading a "legacy" infrastructure where a handful of PHP, Rails and Perl (CGI) applications are in use. Historically, these applications have been written with the database credentials sprinkled into all the source code as program variables.
We are discussing ways to change this. One proposal suggests moving all DB creds to the Apache /etc/apache2/envvars
file. Another proposal suggests use of Hashicorp's vault (don't quite fully understand how this beast works).
The envvars
method seems better, but I assume this would mean that any compromised application would have full access to any other applications DB creds. I'm wondering if a better approach would include some sort of partitioning for applications where (bad example, but it happens) Bob's compromised 'todo list' wouldn't neccesarily compromise the credentials for an HR application by way of Apache environment variables.
Vault is.. weird. From what I can tell, it creates temporary DB credentials in the database. I don't fully understand how it works, so I can't tell if it's a good fit.
What's the best practice for protecting DB credentials on a web server? Anything is better than leaving them in source code but if we're going to make a big change here, I'd rather not have to do it again due to misinterpretations. I've looked over links here and here with little discussion about it.