Last active
July 14, 2024 16:13
-
-
Save kzap/5819745 to your computer and use it in GitHub Desktop.
If you want to give only Travis-CI access to a private key or secret file in your repository, you will need to encrypt it, but rather than storing the entire encrypted file in an environment variable, just store the a secret password in a secure environment variable that you will use to encrypt and decrypt your private key file. The encryption o…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# generate your private key, put the public key on the server you will be connecting to | |
ssh-keygen -t rsa -f ./my_key | |
# generate the password/secret you will store encrypted in the .travis.yml and use to encrypt your private key | |
cat /dev/urandom | head -c 10000 | openssl sha1 > ./secret | |
# encrypt your private key using your secret password | |
openssl aes-256-cbc -pass "file:./secret" -in ./my_key -out ./my_key.enc -a | |
# download your Travis-CI public key via the API. eg: https://api.travis-ci.org/repos/travis-ci/travis-ci/key | |
# replace 'RSA PUBLIC KEY' with 'PUBLIC KEY' in it | |
# save it as a file id_travis.pub | |
# now encrypt your secure environment variable and secret password using the public key that you just downloaded and copy it to the clipboard | |
echo "MY_SECRET_ENV=`cat ./secret`" | openssl rsautl -encrypt -pubin -inkey ./id_travis.pub | base64 | pbcopy | |
# insert your secure environment variable in your .travis.yml like so | |
# env: | |
# - secure: "ENCODEDSECUREVAR" | |
# make sure you add the .my_key.enc to your repository | |
# to decode your encrypted private key in Travis, use the following line and it will output a decrypted my_key file | |
# openssl aes-256-cbc -pass "pass:$MY_SECRET_ENV" -in ./my_key.enc -out ./my_key -d -a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment