Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to encrypt your Travis keys

The Travis docs say that the easiest way to encrypt keys eg. To upload to S3, is to use their command line tool.

Are there other ways to do this that doesn't involve installing Ruby etc just to use their command line tool?

like image 301
Graham Chiu Avatar asked Mar 01 '17 07:03

Graham Chiu


People also ask

How do I encrypt a Travis file?

Here we can use the encrypt command: travis encrypt super_secret_password=ahduQu9ushou0Roh --add - note that if you set this up multiple times for multiple files, you will have to use different variable names so the passwords don't override each other. Encrypt the file locally.

Which of the following encryption scheme is used by Travis CI?

Encryption scheme # Travis CI uses asymmetric cryptography. For each registered repository, Travis CI generates an RSA keypair. Travis CI keeps the private key private, but makes the repository's public key available to those who have access to the repository.

How do you securely store a key?

The most secure method of storing your private keys is to use some form of cryptographic hardware storage device. While they can be expensive, tools like Hardware Storage Modules (HSM), Smart Cards, or USB tokens are great lines of defense against an attack.


1 Answers

There happens to be a Javascript method, and it's available here with the corresponding github repo here.

To use encrypted S3 keys is moderately confusing because the principles are not well explained in the Travis docs.

In the top left field of the form mentioned above you enter your Travis-CI userid/repo-name so this allows the script to pull down the public key for your repository that has been created by Travis.

In the right top field, you enter:

AWS_ACCESS_KEY_ID:...the..access..string..from..Amazon.IAM...

Click on Encrypt and copy the string generated below Encrypted Data

Then in the right top field, you enter:

AWS_SECRET_ACCESS_KEY:...the.very.secret.string.from.Amazon.IAM...

and again copy the encrypted string. Note that the encrypted strings change each time due to random data being included into the encrypted strings.

These encrypted key pairs are decrypted by Travis and exported as environment variables. You enter them in the .travis.yml file like this:

global:
        # travis encrypt AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
        - secure: "--first-very--long-encrypted-string--=" 
        # travis encrypt AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
        - secure: "--second--very-long-encrypted-string--="
        - AWS_S3_BUCKET_NAME: yourbucketname

Now in the deploy section, you reference them by using the names you used for the encryption pair

deploy:
   provider: s3
   # these are set up in the global env
   access_key_id: $AWS_ACCESS_KEY_ID
   secret_access_key: $AWS_SECRET_ACCESS_KEY
   bucket: $AWS_S3_BUCKET_NAME
   skip_cleanup: true
   upload-dir: travis-builds

If you had used the name ACCESS_ID in global env when you encrypted it, then in deploy you would refer to it as $ACCESS_ID

The upload-dir is created in the named bucket.

When your build runs in Travis, the decrypted keys are not exposed. Instead what you see is:

See https://docs.travis-ci.com/user/workers/container-based-infrastructure/ for details.
Setting environment variables from .travis.yml
$ export AWS_ACCESS_KEY_ID=[secure]
$ export AWS_SECRET_ACCESS_KEY=[secure]
$ export AWS_S3_BUCKET_NAME=yourbucketname
like image 180
Graham Chiu Avatar answered Oct 10 '22 02:10

Graham Chiu