Created
October 16, 2018 07:02
-
-
Save ifiokjr/82975270cdc1b7d73c3a7e055f1d2566 to your computer and use it in GitHub Desktop.
Basic setup of manual encryption of files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
exit 1 | |
# Guidance only. NOT TO BE USED | |
## https://raymii.org/s/tutorials/Encrypt_and_decrypt_files_to_public_keys_via_the_OpenSSL_Command_Line.html#Decrypt_the_random_key_with_our_private_key_file | |
mkdir secrets | |
openssl genrsa -out secrets/private.pem 4096 # Generate a private pem without a passcode. This is used to create the key file that can be used to encrypt and decrypt the files. | |
openssl rsa -in secrets/private.pem -pubout -out secrets/public.pem # Create the public key from this | |
# Create key | |
openssl rand -base64 128 -out secrets/random.key | |
# Check the consintency of private / public key | |
openssl rsa -modulus -noout -in secrets/private.pem | openssl md5 | |
openssl rsa -check -noout -in secrets/private.pem | openssl md5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
PURPLE='\033[0;35m' | |
NC='\033[0m' | |
copy_files() { | |
echo -e "${PURPLE}Copying read-write .npmrc...${NC}" | |
cp -f secrets/.npmrc.publish .npmrc | |
echo -e "${PURPLE}Copying read-only .npmrc...${NC}" | |
cp -f secrets/.npmrc.read @cloud/firebase/.npmrc | |
cp -f secrets/.npmrc.read @apps/web/.npmrc | |
echo -e "${PURPLE}Copying firebase runtimeConfig for test environment${NC}" | |
cp -f secrets/.runtimeconfig.json .runtimeconfig.json | |
cp -f secrets/.runtimeconfig.json @cloud/firebase/.runtimeconfig.json | |
echo -e "${PURPLE}Copying .env for development${NC}" | |
cp -f secrets/.dev.env @apps/web/.env | |
cp -f secrets/.dev.env @cloud/firebase/.env | |
# rm secrets.tar.gz' | |
} | |
# Temporary file holders | |
SECRET_FILE_NAME="${TMPDIR:-$HOME}"secret-${CI_JOB_ID:-local} | |
PRIVATE_FILE_NAME="${TMPDIR:-$HOME}"private-${CI_JOB_ID:-local} | |
if [ ! -z "$CI" ]; then | |
set -e | |
echo $PLEJIO_REPO_PRIVATE_KEY | base64 --decode > $PRIVATE_FILE_NAME | |
# Decrypt the randomly generated secret key. This is needed to decrypt the file. | |
openssl rsautl -decrypt -inkey $PRIVATE_FILE_NAME -in config/random.enc -out $SECRET_FILE_NAME | |
# Decrypt the file | |
openssl aes-256-cbc -d -in config/secrets.enc -out secrets.tar.gz -pass file:$SECRET_FILE_NAME | |
# Retrieve the folder from the tar archive. | |
tar -xzf secrets.tar.gz | |
# Remove the temporary files | |
rm $SECRET_FILE_NAME $PRIVATE_FILE_NAME secrets.tar.gz | |
copy_files | |
else | |
openssl rsautl -decrypt -inkey secrets/private.pem -in config/random.enc -out $SECRET_FILE_NAME | |
openssl aes-256-cbc -d -in config/secrets.enc -out secrets.tar.gz -pass file:$SECRET_FILE_NAME | |
tar -xzf secrets.tar.gz | |
rm $SECRET_FILE_NAME secrets.tar.gz | |
copy_files | |
fi | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
## Run this script whenever new secrets are added to the repository | |
set -e | |
rm -f config/*.enc | |
## Firstly compress the secret folder. This folder is ignored by git. | |
tar -zcf secrets.tar.gz secrets | |
## Now using the file encryption key we encrypt the compressed archive. | |
openssl enc -aes-256-cbc -salt -in secrets.tar.gz -out config/secrets.enc -pass file:secrets/random.key | |
## We also need to encrypt the file encryption key (with out private key) | |
openssl rsautl -encrypt -inkey config/public.pem -pubin -in secrets/random.key -out config/random.enc | |
## Clean up old files | |
rm secrets.tar.gz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
YELLOW='\033[1;33m' | |
NC='\033[0m' | |
CI_PROJECT_DIR=${CI_PROJECT_DIR:=$PWD} | |
CACHE_FOLDER=${CACHE_FOLDER:=$CI_PROJECT_DIR/.ci/cache} | |
export CLOUDSDK_INSTALL_DIR=$CACHE_FOLDER # Auto setup the install directory | |
export CLOUDSDK_CORE_DISABLE_PROMPTS=1 # Disable usage reporting | |
if [ ! -d $CACHE_FOLDER/google-cloud-sdk ]; then | |
echo -e "${YELLOW}Installing gcloud cli...${NC}" | |
mkdir -p $CACHE_FOLDER | |
curl https://sdk.cloud.google.com | bash > /dev/null | |
# mv -f $HOME/google-cloud-sdk $CACHE_FOLDER | |
fi | |
export PATH="$CACHE_FOLDER/google-cloud-sdk/bin:${PATH}" | |
gcloud config set disable_usage_reporting true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment