No default path to place from application.yml.
Your question seems to me more on how to improve the security of access to the server that runs the application than on how to hide the user and password of other people.
An example of this is:
The attacker enters the server but does not have the user and password of the bank so he is listening to the connections, if you do not have using https, then it takes the user and password even if it is hidden or elsewhere because the application will need them to connect to the database.
You can opt for a configuration manager system like zookeeper, Consouth or even the etcd, but will fall into the situation I mentioned above.
Focus on server access and its security and after that go after password security in the application because this second is more complicated than it seems.
Here we have great considerations on how to hide passwords for applications:
- Hide shell script application passwords here to Jenny, it was who write the response in stackexchange makes considerations ranging from the importance of the information contained in the database to the company, what is the financial impact if someone has access to the data, it also speaks of technical aspects such as the user you are using is the database administrator or has the correct permissions to execute only what the application needs and so on.
The last item that she says is "you can never avoid saving the password somewhere" is that leads me to indicate that you start doing your security on the periphery of your application as: who accesses the server, who can access, who accesses the network, if it is easy to enter the server.
thanks for the reply, very interesting the link of stackexchange I will share here in the company
– Marquezani