| id | title |
|---|---|
encrypting-sensitive-configuration |
Encrypting sensitive configuration |
Certain configuration items such as access tokens or secret keys are quite sensitive and should not be committed to the repository in plain text. Silta supports decrypting certain files during the build process.
We use openssl to encrypt files, but there are many versions available with incompatible ciphers.
We therefore recommend the following process:
-
SSH into a CircleCI environment using "Rerun workflow > Rerun job with SSH" from the last build. Note that different environments might have different circleci contexts and hence - different encryption keys. Check your circleci config file for context information. You will get a command like (the actual IP and port changes for each build)
ssh -p 64537 3.80.240.10
If you have trouble getting in, please refer to
troubleshooting.mdSSH section. -
Create your file named
/tmp/secret_file. -
Encrypt it with
openssl aes-256-cbc -pbkdf2 -in /tmp/secret_file -out /tmp/encrypted_file -pass env:SECRET_KEY
Make sure that the
-inand-outparameters are not the same, or openssl will encrypt its own output. -
Now copy the encrypted file back to your local environment with
scp -P 64537 3.80.240.10:/tmp/encrypted_file path/to/file
The port and IP should be the same as the SSH instructions. Note that
-Pis uppercase forscp!You might get an error like "subsystem request failed on channel 0 scp: Connection closed" Try to use -O as an argument, like this:
scp -O -P 64537 3.80.240.10:/tmp/encrypted_file path/to/file
-
Commit the encrypted file to git at the location where you want to have it.
-
In your CircleCI configuration, add following
- Drupal chart: Add following under
silta/drupal-build-deploy:
decrypt_files: path/to/file
- Drupal chart: If using multiple secret files separate them with a comma (space separation work but is deprecated). For example:
decrypt_files: silta/secrets,silta/secrets-this,silta/secrets-that
- Frontend chart: Add following under
codebase-build:
- silta/decrypt-files: files: path/to/file
path/to/fileis relative to the build folder (root)
- Drupal chart: Add following under
-
Your secret file can also contain an extension to the configuration in silta.yml, for example to set encrypted environment variables. To do that, add this to your
drupal-build-deployCircleCI job:silta_config: silta/silta.yml,silta/secrets
-
Push your code, the file will get decrypted in place at the build time. Check the CircleCI step "Decrypt secret files".
-
Your secret file can be used as it is (for example, the private key to connect to another service).
Drupal chart
php:
env:
PAYMENT_GW_KEY: '1234567890qwertyuiop'Frontend chart
services:
myservice:
env:
PAYMENT_GW_KEY: '1234567890qwertyuiop'For cases where you want to have your own encryption key, you can do that with the following steps:
- Create an environment variable in your CircleCI project.
Click the gear icon on a build page > Environment variables > Add Variable.
Use a name like
MYPROJECT_SECRET_KEYand the value of your choice (preferably a strong key). - Use the same step as above, but specify the environment variable to be used as the decryption key:
- silta/decrypt-files: files: path/to/file secret_key_env: MYPROJECT_SECRET_KEY
Check the port and IP address by Rerunning the latest workflow in CircleCI: > Rerun job with SSH
Using the SSH port and IP address securely copy your silta/secrets file to CircleCI
scp -P 64537 silta/secrets 3.80.240.10:/tmp/encrypted_fileSSH to CircleCI using the correct port/IP you got from rerunning the job with SSH
ssh -p 64537 3.80.240.10Run following command in CircleCI:
openssl aes-256-cbc -pbkdf2 -d -in /tmp/encrypted_file -out /tmp/decrypted_file -pass env:SECRET_KEYCheck /tmp/decrypted_file or scp it back to your local using
scp -P 64537 3.80.240.10:/tmp/decrypted_file silta/secrets_decrypted