Is a file with both public and secret content a secret or not?

Question

This question showed up while debating whether a configuration file with public application settings and secret values should be stored in Hashicorp's Vault as a secret.

LinuxBender · Accepted Answer

A file that would contain a secret should have the secret attributes parameterized and the attribute modified on deployment using Hashicorp Vault, otherwise the entire file would have to be stored in Vault meaning the entire file is a secret. This is a common pattern with Ansible, Chef, Puppet and other configuration management tools that integrate with Vault. Docker also has integrations with Vault and can replace attribute placeholders with their secret contents on deployment of containers. All of the aforementioned platforms have how-to's explaining how to correctly integrate with Vault.

smt88 · Answer

The secrets are secret. Store them securely.
If storing the secrets securely doesn't cause the public settings to be inaccessible where/when they're needed, then you have nothing else to do.
Separate the secret and non-secret data. Don't even use files, just let each item be its own individual value with its own key and permissions.
Also, it doesn't sound like anyone debating this is experienced enough to be making security decisions, even very basic ones.

gjvc · Answer

https://en.wikipedia.org/wiki/Steganography

PaulHoule · Answer

If any of it is secret then the whole thing is secret, isn&rsquo;t it? The only way around that is to break it into multiple parts.