Encrypt smtp_password in the rails codebase
Overview In gitlab#238483 (closed) (closed) we are providing the option to store the LDAP password in an encrypted password file instead of in plain text in the GitLab configuration files. While the LDAP password was the top priority for customers, many customers mentioned a preference or security requirement to remove all configuration passwords from plain text.
Proposal The solution implemented in gitlab#238483 (closed) (closed) can be extended to include other passwords that are part of the Rails application with minimal effort. In the interest of making small, fast iterations, this next iteration of Secure Solution for Managing Omnibus Configuration Secrets provides the option to store all of the other Rails passwords in an encrypted file, which are as follows:
gitlab_rails['smtp_password']
Requirements
For increased protection of LDAP servers, these passwords are stored in a separate file to the LDAP password. This allows end users to further limit access to the LDAP password. All of the passwords listed above are stored in a single encrypted file. We can add further separation in future iterations if there is demand.
Acceptance criteria
Clear documentation has been created that explains how to store passwords in a separate file, where the encryption key is stored, how to generate a new password, how to change a password, any information relevant to users wanting to automate password changes due to a password rotation policy, and any limitations on rotating encryption keys.