Do any version control systems allow you to specify line level security restrictions rather than file level? I know it would be horrible to maintain. If I wanted to never allow certain strings into the database should I be looking into the notion of hooks and manage all the very sensitive information in that hook layer? How do hooks get replicated from system to system?
Update: Maybe the best way to manage this is to pgp encrypt the sensitive data and those who cannot decrypt it will be left in the dark. Any thoughts on that? Probably not a best practice from a security standpoint.
We had the same problem and decided to solve it by setting up a second repository.
This originated when I needed to store our configuration management files in version control, which contained sensitive information. It made sense to store the sensitive data from our applications in there as well.
We originally used svn externals and git submodules to include the sensitive data, but later found it less troublesome to just simlink to another location.
I also find it helpful to add the proper ignores to prevent the same files ever getting checked in to the development repository. Since doing this we have not had anyone accidentally check in anything sensitive.
It helps try an keep the sensitive information contained in a concise set of config files — I would not spread it out, put it one place and guard that place.