Basic setup of manual encryption of files

create-encryption-key.sh

#!/bin/bash

set -e

exit 1

# Guidance only. NOT TO BE USED

## https://raymii.org/s/tutorials/Encrypt_and_decrypt_files_to_public_keys_via_the_OpenSSL_Command_Line.html#Decrypt_the_random_key_with_our_private_key_file
mkdir secrets

openssl genrsa -out secrets/private.pem 4096 # Generate a private pem without a passcode. This is used to create the key file that can be used to encrypt and decrypt the files.
openssl rsa -in secrets/private.pem -pubout -out secrets/public.pem # Create the public key from this


# Create key
openssl rand -base64 128 -out secrets/random.key

# Check the consintency of private / public key
openssl rsa -modulus -noout -in secrets/private.pem | openssl md5
openssl rsa -check -noout -in secrets/private.pem | openssl md5

decrypt-secrets.sh

#!/bin/bash

PURPLE='\033[0;35m'
NC='\033[0m'

copy_files() {
    echo -e "${PURPLE}Copying read-write .npmrc...${NC}"
    cp -f secrets/.npmrc.publish .npmrc
    
    echo -e "${PURPLE}Copying read-only .npmrc...${NC}"
    cp -f secrets/.npmrc.read @cloud/firebase/.npmrc
    cp -f secrets/.npmrc.read @apps/web/.npmrc
    
    echo -e "${PURPLE}Copying firebase runtimeConfig for test environment${NC}"
    cp -f secrets/.runtimeconfig.json .runtimeconfig.json
    cp -f secrets/.runtimeconfig.json @cloud/firebase/.runtimeconfig.json
    
    echo -e "${PURPLE}Copying .env for development${NC}"
    cp -f secrets/.dev.env @apps/web/.env
    cp -f secrets/.dev.env @cloud/firebase/.env
    # rm secrets.tar.gz'
}


# Temporary file holders
SECRET_FILE_NAME="${TMPDIR:-$HOME}"secret-${CI_JOB_ID:-local}
PRIVATE_FILE_NAME="${TMPDIR:-$HOME}"private-${CI_JOB_ID:-local}

if [ ! -z "$CI" ]; then
    set -e
    echo $PLEJIO_REPO_PRIVATE_KEY | base64 --decode > $PRIVATE_FILE_NAME
    # Decrypt the randomly generated secret key. This is needed to decrypt the file.
    openssl rsautl -decrypt -inkey $PRIVATE_FILE_NAME -in config/random.enc -out $SECRET_FILE_NAME
    
    # Decrypt the file
    openssl aes-256-cbc -d -in config/secrets.enc -out secrets.tar.gz -pass file:$SECRET_FILE_NAME
    
    # Retrieve the folder from the tar archive.
    tar -xzf secrets.tar.gz
    
    # Remove the temporary files
    rm $SECRET_FILE_NAME $PRIVATE_FILE_NAME secrets.tar.gz
    copy_files
else
    openssl rsautl -decrypt -inkey secrets/private.pem -in config/random.enc -out $SECRET_FILE_NAME
    openssl aes-256-cbc -d -in config/secrets.enc -out secrets.tar.gz -pass file:$SECRET_FILE_NAME
    tar -xzf secrets.tar.gz
    rm $SECRET_FILE_NAME secrets.tar.gz
    
    copy_files
fi

encrypt-secrets.sh

#!/bin/bash

## Run this script whenever new secrets are added to the repository

set -e

rm -f config/*.enc

## Firstly compress the secret folder. This folder is ignored by git.
tar -zcf secrets.tar.gz secrets

## Now using the file encryption key we encrypt the compressed archive.
openssl enc -aes-256-cbc -salt -in secrets.tar.gz -out config/secrets.enc -pass file:secrets/random.key

## We also need to encrypt the file encryption key (with out private key)
openssl rsautl -encrypt -inkey config/public.pem -pubin -in secrets/random.key -out config/random.enc

## Clean up old files
rm secrets.tar.gz

install-gcloud.sh

#!/bin/bash

YELLOW='\033[1;33m'
NC='\033[0m'

CI_PROJECT_DIR=${CI_PROJECT_DIR:=$PWD}
CACHE_FOLDER=${CACHE_FOLDER:=$CI_PROJECT_DIR/.ci/cache}
export CLOUDSDK_INSTALL_DIR=$CACHE_FOLDER # Auto setup the install directory
export CLOUDSDK_CORE_DISABLE_PROMPTS=1 # Disable usage reporting


if [ ! -d $CACHE_FOLDER/google-cloud-sdk ]; then
    echo -e "${YELLOW}Installing gcloud cli...${NC}"
    mkdir -p $CACHE_FOLDER
    curl https://sdk.cloud.google.com | bash > /dev/null
    # mv -f $HOME/google-cloud-sdk $CACHE_FOLDER
fi


export PATH="$CACHE_FOLDER/google-cloud-sdk/bin:${PATH}"
gcloud config set disable_usage_reporting true