best practice for sensitive configuration data in source control?

Question

I've seen a few approaches to this problem so I'm curious what the SO community has to say about it.

If I have configuration data that is used for accessing a production database (specifically a connection string):

• Is it a bad idea to keep that information in source control (e.g. another avenue of attack for hackers)?
• If you aren't keeping it in source control then where would you keep it?
• Is this a case of "if they've gotten in to your source control server you're pretty screwed anyway"?

Answer 1

if you're worried about that issue (a concern which, frankly, I don't share), you can save your connection string encoded, with the key stored somewhere else (= a different server).