Last active
August 29, 2017 16:21
-
-
Save jmcdice/fac460015f8b9efea8939fcdff86d523 to your computer and use it in GitHub Desktop.
Using gpg2 and gpg-agent to manage pipeline secrets
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Install gnupg2 and gnupg-agent | |
$ sudo apt-get install gnupg2 gnupg-agent rng-tools | |
# Make sure you have gpg2 2.1.11 (gpg2 --version) | |
# Create entropy for key generation | |
$ sudo rngd -r /dev/urandom | |
# Create a working directory | |
$ mkdir concourse | |
$ cd concourse | |
# Create a key for concourse to use | |
cat >key_gen<<EOF | |
%echo Generating a basic OpenPGP key | |
Key-Type: DSA | |
Key-Length: 1024 | |
Subkey-Type: ELG-E | |
Subkey-Length: 1024 | |
Name-Real: Concourse User | |
Name-Comment: Pipeline Automation | |
Name-Email: concourse@customer.io | |
Expire-Date: 0 | |
Passphrase: change-me-you-fool | |
%commit | |
%echo done | |
EOF | |
$ gpg2 --batch --gen-key key_gen | |
$ rm -f key_gen | |
# Set a crazy long timeout for cached creds (400 days) | |
$ echo 'default-cache-ttl 34560000' >> ~/.gnupg/gpg.conf | |
$ echo 'maximum-cache-ttl 34560000' >> ~/.gnupg/gpg.conf | |
# Create a file with secrets in it (this should store all your secrets). | |
$ echo 'export PASSWORD="joecool"' > passwords.sh | |
# Encrypt your file (using the email from your key) | |
$ gpg2 --encrypt -r concourse@customer.io passwords.sh | |
# Delete original file | |
$ rm passwords.sh | |
# Decrypt your file (first time, password required to decrypt the gpg key) | |
$ gpg2 --decrypt passwords.sh.gpg | |
# export the password to your pipeline (no password required, | |
# key is now cached by gpg-agent) | |
$ eval $(gpg2 --decrypt passwords.sh.gpg) | |
$ env|grep PASS | |
PASSWORD=joecool | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment