Using gpg2 and gpg-agent to manage pipeline secrets

gistfile1.txt

# Install gnupg2 and gnupg-agent

   $ sudo apt-get install gnupg2 gnupg-agent rng-tools

# Make sure you have gpg2 2.1.11 (gpg2 --version)

# Create entropy for key generation

   $ sudo rngd -r /dev/urandom
   
# Create a working directory

   $ mkdir concourse
   $ cd concourse

# Create a key for concourse to use

cat >key_gen<<EOF
%echo Generating a basic OpenPGP key
Key-Type: DSA
Key-Length: 1024
Subkey-Type: ELG-E
Subkey-Length: 1024
Name-Real: Concourse User
Name-Comment: Pipeline Automation
Name-Email: concourse@customer.io
Expire-Date: 0
Passphrase: change-me-you-fool
%commit
%echo done
EOF

   $ gpg2 --batch --gen-key key_gen
   $ rm -f key_gen

# Set a crazy long timeout for cached creds (400 days)

   $ echo 'default-cache-ttl 34560000' >> ~/.gnupg/gpg.conf
   $ echo 'maximum-cache-ttl 34560000' >> ~/.gnupg/gpg.conf

# Create a file with secrets in it (this should store all your secrets).

   $ echo 'export PASSWORD="joecool"' > passwords.sh

# Encrypt your file (using the email from your key)

   $ gpg2 --encrypt -r concourse@customer.io passwords.sh

# Delete original file

   $ rm passwords.sh

# Decrypt your file (first time, password required to decrypt the gpg key)

   $ gpg2 --decrypt passwords.sh.gpg

# export the password to your pipeline (no password required, 
# key is now cached by gpg-agent)

   $ eval $(gpg2 --decrypt passwords.sh.gpg)
   $ env|grep PASS
     PASSWORD=joecool