Avoiding ASP.NET passwords in github?

Question

I understand this question can be general but, specifically with regards to ASP.NET MVC, what's the best way to keep passwords locally but not in git/svn? My database connection string is currently in web.config -- is it best to somehow include a file in web.config that isn't in git? What do you folks do?

Answer 1

I use Windows Auth with my databases, so the connection string contains a server name but not a username/password.

For Machines where I can't use Windows Auth, I use web.config transforms and add the web.dev.config to my .gitignore.

Answer 2

Regarding Git, I would use a filter driver in order to build the right web.config out of:

• a web.config.template file,
• an external (encrypted) source where to look for the password.

On every checkout, the 'smudge' script would be the right web.config content, that way:

• web.config remains private (only visible in your working tree)
• common parts of the web.config which don't change often and are public information remain versioned in web.config.template.
• the password, even encrypted, don't get replicated from repository to repository.