Are you stressed because a coworker left the company without documenting secret usage? Struggling to reverse-engineer encrypted secrets for critical workflows?
Simplify your process with this guide on securely encrypting and decrypting secrets in GitHub Actions. This practical approach ensures your sensitive information remains secure, helps to maintain smooth operations and enhance your security practices.
Learn how to use environment variables and OpenSSL for robust encryption, ensuring you have the tools to handle secrets efficiently. Stay secure and organised with these straightforward steps.
Here's a step-by-step process to encrypt and decrypt a secret locally using OpenSSL and base64 encoding:
- Generate a 256-bit encryption key.
- Encrypt the secret.
- Base64 encode the encrypted secret.
- Decrypt the base64 encoded encrypted secret.
# Step 1: Generate a 256-bit encryption key
export KEY=$(openssl rand -base64 32)
echo "Encryption Key: $KEY"
# Step 2: Define the secret to be encrypted
export CLIENT_ID="super-super-secret"
echo "Original CLIENT_ID: $CLIENT_ID"
# Step 3: Encrypt the CLIENT_ID and base64 encode the result
ENCRYPTED_CLIENT_ID=$(echo -n "$CLIENT_ID" | openssl enc -aes-256-cbc -base64 -A -salt -pbkdf2 -pass pass:$KEY)
echo "Encrypted and Base64 Encoded CLIENT_ID: $ENCRYPTED_CLIENT_ID"
# Step 4: Decrypt the base64 encoded encrypted CLIENT_ID
DECRYPTED_CLIENT_ID=$(echo "$ENCRYPTED_CLIENT_ID" | openssl enc -aes-256-cbc -d -base64 -A -pbkdf2 -pass pass:$KEY)
# Print the decrypted CLIENT_ID
echo "Decrypted CLIENT_ID: $DECRYPTED_CLIENT_ID"If the output shows the correct decrypted CLIENT_ID, then the encryption and decryption process is working as expected. Here's a sample of what the output might look like:
Encryption Key: <generated_encryption_key>
Original CLIENT_ID: super-super-secret
Encrypted and Base64 Encoded CLIENT_ID: <encrypted_and_base64_encoded_client_id>
Decrypted CLIENT_ID: super-super-secretEasy, right?
Now lets use this knowledge within GitHub Workflows.
name: Encrypt Secrets
on:
workflow_dispatch:
jobs:
encrypt-secrets:
runs-on: ubuntu-latest
environment: prod
env:
SP_CLIENT_ID: ${{ secrets.SP_CLIENT_ID }}
SP_CLIENT_SECRET: ${{ secrets.SP_CLIENT_SECRET }}
AES_SECRET_KEY: ${{ secrets.AES_SECRET_KEY }}
steps:
# This workflow securely encrypts SP_CLIENT_ID and SP_CLIENT_SECRET using AES-256-CBC
# with PBKDF2 key derivation and prints the encrypted values. This ensures the secrets
# are not exposed in plaintext logs.
#
# Setup:
# 1. Generate a 256-bit encryption key:
# openssl rand -base64 32
# 2. Add the following secrets to your repository:
# - SP_CLIENT_ID: Your client ID
# - SP_CLIENT_SECRET: Your client secret
# - AES_SECRET_KEY: The generated encryption key
# 3. Manually trigger this workflow via the Actions tab.
#
# Decrypting Encrypted Data:
# 1. Use these commands locally to decrypt:
# echo "<encrypted_SP_CLIENT_ID>" | openssl enc -aes-256-cbc -d -base64 -A -pbkdf2 -pass pass:<your_secret_key>
# echo "<encrypted_SP_CLIENT_SECRET>" | openssl enc -aes-256-cbc -d -base64 -A -pbkdf2 -pass pass:<your_secret_key>
# Replace <encrypted_SP_CLIENT_ID> and <encrypted_SP_CLIENT_SECRET> with values from the logs and <your_secret_key> with the encryption key.
- name: Check out repository
uses: actions/checkout@v4
- name: Encrypt SP_CLIENT_ID
run: |
ENCRYPTED_CLIENT_ID=$(echo -n "$SP_CLIENT_ID" | openssl enc -aes-256-cbc -base64 -A -salt -pbkdf2 -pass pass:$AES_SECRET_KEY)
echo "Encrypted SP_CLIENT_ID: $ENCRYPTED_CLIENT_ID"
echo "To decrypt, use: echo '$ENCRYPTED_CLIENT_ID' | openssl enc -aes-256-cbc -d -base64 -A -pbkdf2 -pass pass:<your_secret_key>"
- name: Encrypt SP_CLIENT_SECRET
run: |
ENCRYPTED_CLIENT_SECRET=$(echo -n "$SP_CLIENT_SECRET" | openssl enc -aes-256-cbc -base64 -A -salt -pbkdf2 -pass pass:$AES_SECRET_KEY)
echo "Encrypted SP_CLIENT_SECRET: $ENCRYPTED_CLIENT_SECRET"
echo "To decrypt, use: echo '$ENCRYPTED_CLIENT_SECRET' | openssl enc -aes-256-cbc -d -base64 -A -pbkdf2 -pass pass:<your_secret_key>"