Using git-crypt with CircleCI

ide · November 26, 2016, 3:31am

I have some secrets that I store in a text file that is encrypted with git-crypt and committed to Git. This lets me share these secrets with other trusted people or across several development computers even if the Git repo is public. The current workflow on a development computer is to unlock the encrypted text file, load the contents into environment variables, and then run the app or deploy it.

I’d like to do the same on CircleCI. git-crypt has a way to export a symmetric private key that can unlock the encrypted file, but the key is a binary file. I can’t set it as the value of a secret environment variable in the CircleCI UI. I’m thinking to convert the key from binary to base64, set it as an environment variable, and then convert it back on the CI host. Has anyone else run into this problem and solved it though?

FelicianoTech · November 26, 2016, 4:42pm

My first suggestion would be to go the base64 route.

sjackman · December 1, 2016, 6:46pm

I do something very similar using openssl enc. It works well with Circle, because both the encrypted data and the key are ASCII.

eval $(openssl aes-256-cbc -d -a -A -k KEY_GOES_HERE <<<$ENV)

git-crypt uses GPG, so it should be possible to ASCII armour the GPG key.

Cheers,
Shaun

ide · December 16, 2016, 10:07am

I ended up encoding the key in base 64 and decoding it with:

echo "$GIT_CRYPT_KEY" | base64 -d > git-crypt.key

Topic		Replies	Views
Passing git-crypt symmtric key in CirclCI Deployments	2	1739	December 27, 2018
Scp using public key Deployments	8	10463	June 18, 2018
Disable SSH Build Environment ssh	21	6183	March 9, 2023
Removal of ~/.ssh/id_rsa from Ubuntu build environment Build Environment ssh , keys , ruby	2	2358	June 18, 2018
SSH-Key not found for private repository Build Environment ssh	2	2028	September 12, 2018

Using git-crypt with CircleCI

Related Topics