Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
squeezing private SSH key into .travis.yml file
Tricks to add encrypted private SSH key to .travis.yml file
To encrypt the private SSH key into the "-secure: xxxxx....." lines to place in the .travis.yml file, generate a deploy key then run: (to see what the encrypted data looks like, see an example here: https://github.com/veewee-community/veewee-push/blob/486102e6f508214b04414074c921475e5943f682/.travis.yml#L21
base64 --wrap=0 ~/.ssh/id_rsa > ~/.ssh/id_rsa_base64
ENCRYPTION_FILTER="echo \$(echo \"-\")\$(travis encrypt veewee-community/veewee-push \"\$FILE='\`cat $FILE\`'\" | grep secure:)"
split --bytes=100 --numeric-suffixes --suffix-length=2 --filter="$ENCRYPTION_FILTER" ~/.ssh/id_rsa_base64 id_rsa_
Ha! it takes 30 lines to squeeze it all in.
To reconstitute the private SSH key once running inside Travis: (see example use here: https://github.com/veewee-community/veewee-push/blob/486102e6f508214b04414074c921475e5943f682/.travis.yml#L13)
- echo -n $id_rsa_{00..30} >> ~/.ssh/id_rsa_base64
- base64 --decode --ignore-garbage ~/.ssh/id_rsa_base64 > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- echo -e "Host github.com\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
@StefanLiebenberg

This comment has been minimized.

Show comment
Hide comment
@StefanLiebenberg

StefanLiebenberg Sep 29, 2013

brilliant! thank you

brilliant! thank you

@otruffer

This comment has been minimized.

Show comment
Hide comment
@otruffer

otruffer Jan 23, 2014

exactly what i was looking for, thanks a lot! :)

exactly what i was looking for, thanks a lot! :)

@breerly

This comment has been minimized.

Show comment
Hide comment
@breerly

breerly Feb 14, 2014

+1 thanks alot :)

breerly commented Feb 14, 2014

+1 thanks alot :)

@davestern

This comment has been minimized.

Show comment
Hide comment
@davestern

davestern Mar 5, 2014

This is excellent!
It required some significant modification for use on the mac. split, for example, has different options. I created a mac version:

https://gist.github.com/davestern/9377538

This is excellent!
It required some significant modification for use on the mac. split, for example, has different options. I created a mac version:

https://gist.github.com/davestern/9377538

@koter84

This comment has been minimized.

Show comment
Hide comment
@koter84

koter84 May 19, 2014

Thanks for sharing this code!

The OS X version on Travis-CI.org doesn't understand that {00..30} should give 00 01 02..etc and just returns 0 1 2..etc
so the first 10 variables won't get printed to the file, and the key (obviously) doesn't work...

i solved it with a small for-loop combined with printf, also my version works the same on the linux and osx workers
https://gist.github.com/koter84/e46e675960d964fdb48d

koter84 commented May 19, 2014

Thanks for sharing this code!

The OS X version on Travis-CI.org doesn't understand that {00..30} should give 00 01 02..etc and just returns 0 1 2..etc
so the first 10 variables won't get printed to the file, and the key (obviously) doesn't work...

i solved it with a small for-loop combined with printf, also my version works the same on the linux and osx workers
https://gist.github.com/koter84/e46e675960d964fdb48d

@letmaik

This comment has been minimized.

Show comment
Hide comment
@letmaik

letmaik Dec 28, 2014

The travis CLI changed a little, has to be travis encrypt -r me/repo now, note the -r.

EDIT: Just noticed that travis now has the ability to encrypt files directly. (see travis encrypt-file)

letmaik commented Dec 28, 2014

The travis CLI changed a little, has to be travis encrypt -r me/repo now, note the -r.

EDIT: Just noticed that travis now has the ability to encrypt files directly. (see travis encrypt-file)

@carlessistare

This comment has been minimized.

Show comment
Hide comment
@maboloshi

This comment has been minimized.

Show comment
Hide comment
@maboloshi

maboloshi Mar 16, 2018

Why not encrypt the private key file with 'travis encrypt' and store it as a travis environment variable?

Encryption and conversion code

travis encrypt-file ./id_rsa -r xxxx/xxxxxx
travis env set DEPLOY_KEY_ENC `base64 -i ./id_rsa.enc | tr -d '\n'` --private -r xxxx/xxxxxx

Decryption code in .travis.yml

echo $DEPLOY_KEY_ENC | base64 --decode | openssl aes-256-cbc -K $encrypted_xxxxxxxxxxxx_key -iv $encrypted_xxxxxxxxxxxx_iv -out ~/.ssh/id_rsa -d

Why not encrypt the private key file with 'travis encrypt' and store it as a travis environment variable?

Encryption and conversion code

travis encrypt-file ./id_rsa -r xxxx/xxxxxx
travis env set DEPLOY_KEY_ENC `base64 -i ./id_rsa.enc | tr -d '\n'` --private -r xxxx/xxxxxx

Decryption code in .travis.yml

echo $DEPLOY_KEY_ENC | base64 --decode | openssl aes-256-cbc -K $encrypted_xxxxxxxxxxxx_key -iv $encrypted_xxxxxxxxxxxx_iv -out ~/.ssh/id_rsa -d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment