diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000..8efcb95 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,31 @@ +version: 2 +general: + branches: + only: + - master + +jobs: + build: + + docker: + - image: circleci/openjdk:8-jdk + + working_directory: ~/project + + steps: + + - checkout + + - run: + name: Decrypt and source env vars + command: | + cd .circleci + chmod +x set-env-vars.sh + ./set-env-vars.sh + + - run: + name: Access env vars in another script + command: | + cd .circleci + chmod +x print-env-vars.sh + ./print-env-vars.sh diff --git a/.circleci/decrypt-local.sh b/.circleci/decrypt-local.sh new file mode 100755 index 0000000..60bbb87 --- /dev/null +++ b/.circleci/decrypt-local.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +openssl aes-256-cbc -d -md sha256 \ + -in env.cipher \ + -out env.generated \ + -pass env:CIRCLE_OPEN_SSL_PASSWORD diff --git a/.circleci/encrypt-local.sh b/.circleci/encrypt-local.sh new file mode 100755 index 0000000..4e09fe4 --- /dev/null +++ b/.circleci/encrypt-local.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +openssl aes-256-cbc -e -md sha256 \ + -in env.plain \ + -out env.cipher \ + -pass env:CIRCLE_OPEN_SSL_PASSWORD diff --git a/.circleci/env.cipher b/.circleci/env.cipher new file mode 100644 index 0000000..008e4df --- /dev/null +++ b/.circleci/env.cipher @@ -0,0 +1 @@ +Salted__Ѧ/~/qE&d.gqU`< \ No newline at end of file diff --git a/.circleci/print-env-vars.sh b/.circleci/print-env-vars.sh new file mode 100644 index 0000000..902d2f5 --- /dev/null +++ b/.circleci/print-env-vars.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +# Printing the values of the env vars for testing and verification. +# Do not do this in a production setup! +# Do not use actual sensitive data for testing! +echo "FOO: ${FOO} BAR: ${BAR}" diff --git a/.circleci/set-env-vars.sh b/.circleci/set-env-vars.sh new file mode 100755 index 0000000..297e2e3 --- /dev/null +++ b/.circleci/set-env-vars.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +openssl aes-256-cbc -d -md sha256 \ + -in env.cipher \ + -pass env:CIRCLE_OPEN_SSL_PASSWORD \ + >> $BASH_ENV diff --git a/.gitignore b/.gitignore index 3104485..4730ee0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -/secret-env-plain \ No newline at end of file +.idea +*.plain +*.generated diff --git a/README.md b/README.md index d6aeb50..e3bc25f 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,98 @@ -# encrypted-files +[![CircleCI](https://circleci.com/gh/muhammed-sayadi/circleci-encrypted-files.svg?style=svg)](https://circleci.com/gh/muhammed-sayadi/circleci-encrypted-files) -This is a simple example of storing encrypted files in source for use in CircleCI builds. +# circleci-encrypted-files -In this example, the gitignored contents of `secret-env-plain` are: +This is a simple example of storing encrypted files in source for use in CircleCI builds, updated to work with +version 2 of Circle. +In this example, the git-ignored contents of `env.plain` are: + +``` +FOO=secret1 +BAR=secret2 + +``` + +Checking the build step `Access env vars in another script` on Circle, you can see that the variables were decrypted +and accessed correctly. + +## How to Test Yourself + +If you'd like to test this for your own project, here's a general step by step on how to re-produce this setup: + +1- Fork this repository into your account. + +2- Setup Circle project for your newly created repository. + +3- In Circle's Project Settings, set the environment variable `CIRCLE_OPEN_SSL_PASSWORD` to a secured password. +Remember this value since you're going to use it later. + +4- Clone the repository to your local machine. + +5- Set the same environment variable `CIRCLE_OPEN_SSL_PASSWORD` to the same value on your local machine. + +6- Create a file called `env.plain` and enter the environment variables you want secured. For example, enter the +following: ``` -export FOO=secret -export BAR=alsosecret +FOO=secret3 +BAR=secret4 + ``` -If they are encrypted with `openssl aes-256-cbc -e -in secret-env-plain -out secret-env-cipher -k $KEY`, and `$KEY` is set -in the CircleCI project, the variables in `secret-env-plain` will be available in the build. +7- Change directory to the circle directory; where the local encrypt and decrypt scripts are: +``` +cd .circleci +``` -You could use the same process but replace the `openssl` command in `circle.yml` with `openssl aes-256-cbc -d -in secret-file-cipher -out secret-file-plain -k $KEY` to create plaintext files in the build environment instead of just exporting environment variables. +8- Grant the local encrypt and decrypt scripts execution permissions: +``` +chmod +x encrypt-local.sh +chmod +x decrypt-local.sh +``` + +9- Run the encryption script. This will update the `env.cipher` file with the encrypted values of your `env.plain`: +``` +./encrypt-local.sh +``` + +10- To verify, locally, that decryption would work as expected, run the decrypt script: +``` +./decrypt-local.sh +``` +This will generate a file called `env.generated`. + +11- Check the content of the generated file; `env.generated`. This should match exactly with your `env.plain` content. + +12- Open the `print-env-vars.sh` script, and update with your own variables. Please note that if you're forking this +public repository, you will end up with a public repository as well, so avoid testing with actual sensitive data. + +If you're following with this example, there's no need to update anything. + +13- Commit and push your changes. Note that the only file that would've changed is env.cipher. Note, also, that both +`.plain` and `.generated` extensions are ignored. If you change these, please make sure to update .gitignore as well. + +``` +# Make sure that only env.cipher is changed. +git status +``` + +``` +# Assuming that you're still in .circleci directory +git add env.cipher +``` + +``` +git commit -m "Updated env vars" +``` + +``` +git push +``` + +14- Head to Circle's dashboard and check. If everything goes well, you should see your values at the end of the +`Access env vars in another script` step. + +If you're following with this example, you should see the values we set in `env.plain`: +``` +FOO: secret3 BAR: secret4 +``` diff --git a/circle.yml b/circle.yml deleted file mode 100644 index 4acdd5f..0000000 --- a/circle.yml +++ /dev/null @@ -1,8 +0,0 @@ -dependencies: - pre: - # update locally with: - # openssl aes-256-cbc -e -in secret-env-plain -out secret-env-cipher -k $KEY - - openssl aes-256-cbc -d -in secret-env-cipher -k $KEY >> ~/.circlerc -test: - override: - - "echo FOO: $FOO BAR: $BAR" \ No newline at end of file diff --git a/secret-env-cipher b/secret-env-cipher deleted file mode 100644 index 0b3c64f..0000000 Binary files a/secret-env-cipher and /dev/null differ