The configuration in the
config.yaml contains secrets and should not be openly accessible. To secure the data contained within it, the values can be encrypted using a tool called
sops. This tool will use a GPG-key to encrypt the values of the yaml file. Having the PGP-key also allows to decrypt the values and work with the file. As long as the key is not compromised, the encrypted file can be shared securly between collaborators.
The process of using
sops is described below.
sops can be installed using brew:
brew install sops
brew install gpg
You might need to add this to your
.zshrc to enable
sops to work correctly with
GPG_TTY=$(tty) export GPG_TTY
Create a key by running the following command and following the instructions on the screen:
Run the following command to encode the file:
sops \ --encrypt \ --in-place \ --encrypted-regex '(password|htpasswd|cert|key|apiUrl|caCert|secret|accessToken)$' \ --pgp \ `gpg --fingerprint "$EMAIL" | \ grep pub -A 1 | \ grep -v pub | \ sed s/\ //g` \ $FILE_TO_ENCODE
gerrit-monitoring.py encrypt-script can be used to encrypt the file:
pipenv run python ./gerrit-monitoring.py \ --config config.yaml \ encrypt \ --pgp "abcde1234"
The gpg-key used to encrypt the file can be selected by giving the fingerprint, key ID or part of the unique ID to the
--pgp-argument. This identifier has to be unique among the keys in the GPG keystore.
To decrypt the file, run:
sops --in-place -d $FILE_TO_DECODE
For other developers or build servers to be able to decrypt the configuration, the key has to be exported:
gpg --export -a "$EMAIL" > public.key gpg --export-secret-key -a "$EMAIL" > private.key
On the receiving computer the key has to be imported by running:
gpg --import public.key gpg --allow-secret-key-import --import private.key