-
-
Save lcamilo15/bc6b6f8dca9fa27c5641d20006bc7e1d to your computer and use it in GitHub Desktop.
Revisions
-
psenger revised this gist
Feb 1, 2020 . No changes.There are no files selected for viewing
-
Jan 5, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@ U2FsdGVkX18bL0goCbiTjHFGnkwWagZSYjhvkaU1hXA= This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@ U2FsdGVkX19I2jmLcLYbddr8SGhfh3n/BuKY2uDmwis= This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@ U2FsdGVkX19fH47Rl6T+HzlJiFK1ZJLXNN8sh87yN4A= This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,3 @@ export ENVPASSWORD=ZuCmYE2qD6UU3C2Yh9BcB9Yin export ENV=DEV export $(openssl aes-256-cbc -d -a -in ./.env.$ENV.enc -pass env:ENVPASSWORD | xargs) This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,3 @@ export ENVPASSWORD=ZuCmYE2qD6UU3C2Yh9BcB9Yin export ENV=PROD export $(openssl aes-256-cbc -d -a -in ./.env.$ENV.enc -pass env:ENVPASSWORD | xargs) This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,48 @@ # OpenSSL Encrypted Environment Variables Both TravisCi, CodeShip, AWS, Docker Swarm and many professional platforms provide mechanisms to encrypt environment variables and pass them to the container. The key for the variables is stored in their key store mechanism. However, if you wanted to use something universal, Good luck. I spent hours and couldn't find anything. If you find a solution please feel free to let me know, I would appreciate it. I decided to use Open SSL with two variables. The variables are a Symmetric Encryption Key and Destination Environment value. These two variables are used to decrypt the correct env file and expand the variables into the shell. These two variables are sent to the container with the env files that are encrypted. As you can guess, this technique has problems ( as do all techniques ): * The key and destiny environment values are passed as clear text to the container ( but can be encrypted with the platforms techniques ). * The deployment has to decrypt the values and pass them to the shell... writing a file would be bad and this makes things complicated. * All the environment variables ( encrypted ) have to be bundled with the deployment. ## Layout and files files ```.env.<ENV>.enc``` were <ENV> is ``DEV``, ``PROD``, ``TEST`` are the encrypted environment files. files ```<ENV>-example.sh``` were <ENV> is ``DEV``, ``PROD``, ``TEST`` are test files and should be deleted. ``` . |____.env.DEV.enc |____.env.PROD.enc |____.env.TEST.enc |____TEST-example.sh |____DEV-example.sh |____PROD-example.sh ``` ## The file that is encrypted looks like this.... ``` export X=TEST ``` ## Environment variables for this example. you need these two. I used the same key for all three environments ( bad idea ) ```ENVPASSWORD``` ```ENV``` tell this script which file to decrypt. ``` export ENVPASSWORD=ZuCmYE2qD6UU3C2Yh9BcB9Yin export ENV=TEST ``` - Phil This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,3 @@ export ENVPASSWORD=ZuCmYE2qD6UU3C2Yh9BcB9Yin export ENV=TEST export $(openssl aes-256-cbc -d -a -in ./.env.$ENV.enc -pass env:ENVPASSWORD | xargs) This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,5 @@ # Not a good idea to leave the decrypted file in the system. You might need to see it, this is how. openssl aes-256-cbc -d -a -in ./.env.DEV.enc -pass env:ENVPASSWORD -out ./.env export $(openssl aes-256-cbc -d -a -in ./.env.$ENV.enc -pass env:ENVPASSWORD | xargs) && echo $X