Generate RSA keypairs for encrypting secrets


Travis CI has a feature where they generate RSA keypairs so I can encrypt secrets in my build config and they’ll decrypt using the private key they keep. I realize I can accomplish the same thing in CircleCI using environment variables (which I understand are encrypted on the inside). However, using environment variables isn’t exactly what I need because:

  1. those secrets still appear in plaintext to anyone and everyone who has access to the build config
  2. I have to maintain secrets in two different places (CircleCI envvars and in my config management repo)
  3. I can’t version control encrypted secrets

Here are the relevant docs on Travis CI explaining how it works from the user’s perspective: Relevant Travis CI docs: