The configuration in the config.yaml
contains secrets and should not be openly accessible. To secure the data contained within it, the values can be encrypted using a tool called sops
. This tool will use a GPG-key to encrypt the values of the yaml file. Having the PGP-key also allows to decrypt the values and work with the file. As long as the key is not compromised, the encrypted file can be shared securly between collaborators.
The process of using sops
is described below.
sops
On OSX, sops
can be installed using brew:
brew install sops
Install gpg
:
brew install gpg
You might need to add this to your .bashrc
or .zshrc
to enable sops
to work correctly with gpg
[1]:
GPG_TTY=$(tty) export GPG_TTY
Create a key by running the following command and following the instructions on the screen:
gpg --gen-key
Run the following command to encode the file:
sops \ --encrypt \ --in-place \ --encrypted-regex '(password|htpasswd|cert|key|apiUrl|caCert|secret|accessToken)$' \ --pgp \ `gpg --fingerprint "$EMAIL" | \ grep pub -A 1 | \ grep -v pub | \ sed s/\ //g` \ $FILE_TO_ENCODE
$EMAIL
refers to the email used during the creation of the GPG key.
Alternatively, the gerrit-monitoring.py encrypt
-script can be used to encrypt the file:
pipenv run python ./gerrit-monitoring.py \ --config config.yaml \ encrypt \ --pgp "abcde1234"
The gpg-key used to encrypt the file can be selected by giving the fingerprint, key ID or part of the unique ID to the --pgp
-argument. This identifier has to be unique among the keys in the GPG keystore.
To decrypt the file, run:
sops --in-place -d $FILE_TO_DECODE
For other developers or build servers to be able to decrypt the configuration, the key has to be exported:
gpg --export -a "$EMAIL" > public.key gpg --export-secret-key -a "$EMAIL" > private.key
On the receiving computer the key has to be imported by running:
gpg --import public.key gpg --allow-secret-key-import --import private.key