Using git-crypt with CircleCI


#1

I have some secrets that I store in a text file that is encrypted with git-crypt and committed to Git. This lets me share these secrets with other trusted people or across several development computers even if the Git repo is public. The current workflow on a development computer is to unlock the encrypted text file, load the contents into environment variables, and then run the app or deploy it.

I’d like to do the same on CircleCI. git-crypt has a way to export a symmetric private key that can unlock the encrypted file, but the key is a binary file. I can’t set it as the value of a secret environment variable in the CircleCI UI. I’m thinking to convert the key from binary to base64, set it as an environment variable, and then convert it back on the CI host. Has anyone else run into this problem and solved it though?


#2

My first suggestion would be to go the base64 route.


#3

I do something very similar using openssl enc. It works well with Circle, because both the encrypted data and the key are ASCII.

eval $(openssl aes-256-cbc -d -a -A -k KEY_GOES_HERE <<<$ENV)

git-crypt uses GPG, so it should be possible to ASCII armour the GPG key.

Cheers,
Shaun


#4

I ended up encoding the key in base 64 and decoding it with:

echo "$GIT_CRYPT_KEY" | base64 -d > git-crypt.key


#5