Improve Secure Vars



Travis-CI handles secure vars in a really nice way. Vars can be encrypted, and they are only available on internal PRs. This means that you can continue to run tests on external PRs without risking exposing secure data used for deployments.

Replicating this functionality in CircleCI would be extremely useful.


This functionality already exists. If you add ENVARS via the UI, they are only available to builds that original from that same repo. The only way to expose these to external PRs is to enable “permissive builds” under the configuration settings in the UI.


Hi Levlaz, smiller171

– can you elaborate on how ENVVARS are secured? The answer I want to hear is that they’re never written to storage in clear-text, and are stored encrypted with a key that is encrypted with the customer’s credentials.

Thanks, Peter


Environment variables are never written (or sent over the wire) in clear-text. They are stored encrypted.


I got busy and never came back to this, so sorry to revive an old topic. I think I was unclear in my original post. Circle lets you either resolve all variables all the time, or not resolve any on PRs. Travis gives you two groups, one set of vars that are just config and not secure, which are available to any build, and another set that are secure and not available to PRs from another fork. This allows for a lot of flexibility that isn’t available in Circle.