Skip to content

Instantly share code, notes, and snippets.

@kzap
Last active July 14, 2024 16:13
Show Gist options
  • Save kzap/5819745 to your computer and use it in GitHub Desktop.
Save kzap/5819745 to your computer and use it in GitHub Desktop.
If you want to give only Travis-CI access to a private key or secret file in your repository, you will need to encrypt it, but rather than storing the entire encrypted file in an environment variable, just store the a secret password in a secure environment variable that you will use to encrypt and decrypt your private key file. The encryption o…
# generate your private key, put the public key on the server you will be connecting to
ssh-keygen -t rsa -f ./my_key
# generate the password/secret you will store encrypted in the .travis.yml and use to encrypt your private key
cat /dev/urandom | head -c 10000 | openssl sha1 > ./secret
# encrypt your private key using your secret password
openssl aes-256-cbc -pass "file:./secret" -in ./my_key -out ./my_key.enc -a
# download your Travis-CI public key via the API. eg: https://api.travis-ci.org/repos/travis-ci/travis-ci/key
# replace 'RSA PUBLIC KEY' with 'PUBLIC KEY' in it
# save it as a file id_travis.pub
# now encrypt your secure environment variable and secret password using the public key that you just downloaded and copy it to the clipboard
echo "MY_SECRET_ENV=`cat ./secret`" | openssl rsautl -encrypt -pubin -inkey ./id_travis.pub | base64 | pbcopy
# insert your secure environment variable in your .travis.yml like so
# env:
# - secure: "ENCODEDSECUREVAR"
# make sure you add the .my_key.enc to your repository
# to decode your encrypted private key in Travis, use the following line and it will output a decrypted my_key file
# openssl aes-256-cbc -pass "pass:$MY_SECRET_ENV" -in ./my_key.enc -out ./my_key -d -a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment