I encrypted my .env file, and I now have a .env.enc file. How does my team decrypt this?
I got this response when I encrypted the file, and it is stored in my .travis.yml file
openssl aes-256-cbc -K $encrypted_cf94abc85bdc_key -iv $encrypted_cf94abc85bdc_iv -in .env.enc -out .env -d
I tried that on the terminal and this I just get:
iv undefined
I tried decrypting with the travis-cli:
travis encrypt-file .env.enc .env -d
I just get this:
key must be 64 characters long and a valid hex number
I tried it with the key and iv
travis encrypt-file .env.enc .env -d -K $encrypted_cf94abc85bdc_key -iv $encrypted_cf94abc85bdc_iv
I checked if the travis env variables exist, and they do:
encrypted_cf94abc85bdc_key=[secure]
encrypted_cf94abc85bdc_iv=[secure]
Your file is probably decrypted somewhere during the build on Travis. It might be easiest to add a deploy step to the build, so the .env file is uploaded to a place where you can download it yourself.
For details on how to deploy files, check this link or this one specifically for github
Here's a short sample of what I did ;)
in .travis.yml
before_install:
// Somewhere your files are being decrypted
openssl aes-256-cbc -K $encrypted_cf94abc85bdc_key -iv $encrypted_cf94abc85bdc_iv -in .env.enc -out .env -d
// Add a deploy step, which allows you which files to upload
deploy:
file:
- .env /* add the file here, so it will be pushed to github */
api_key: $apikey
on:
repo: <your github repo>
Check the output of travis encrypt-file !
Especially the first line:
encrypting <filename> for <repository name>
[..]
You need to be in the correct repo (and use --com if needed) to be sure that Travis will find the generated values it later needs.
Related
I'm trying to send csv file - artifact from Gitlab CI over Mailgun.
Regular mail works well, but when I'm add attachment it fails with an error:
curl: (26) Failed to open/read local data from file/application
My yaml file:
artifact:
paths:
-report_folder/result.csv
send_email:
script: curl --user "api:$Mailgun_API_KEY"
"https://api.mailgun.net/v3/$Mailgun_domain/messages"
-F from='Gitlab <gitlab#example.com>'
-F to=xxx#mail.com
-F subject='test'
-F text='hello form mailgun'
-F attachment='#report_folder/result.csv'
I guess something wrong in last line in a file path, but I tried different combinations, nothing works for now.
I am building a CI/CD for my django project using GitLab. As part of my deploy stage, I have
deploy:
stage: deploy
script:
- mkdir -p ~/.ssh
- echo "$PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
- cat ~/.ssh/id_rsa
- chmod 700 ~/.ssh/id_rsa
- eval "$(ssh-agent -s)"
- ssh-add ~/.ssh/id_rsa
- ssh-keyscan -H 'gitlab.com' >> ~/.ssh/known_hosts
- chmod +x ./deploy.sh
- scp -o StrictHostKeyChecking=no -r ./.env ./docker-compose.prod.yml ec2-user#$EC2_PUBLIC_IP_ADDRESS:/home/ec2-user/app
- bash ./deploy.sh
only:
- master
The build breaks down at ssh-add ~/.ssh/id_rsa with the error message Error loading key "/root/.ssh/id_rsa": invalid format.
I have checked people with questions with similar error messages and none seem related to what I am doing.
Notes
I am trying to deploy to amazon ec2
I am following this tutorial https://testdriven.io/blog/deploying-django-to-ec2-with-docker-and-gitlab/ and everything seems to work fine up until this last point.
I faced such issue, the error was "Error loading key "/root/.ssh/id_rsa": invalid format" It was due to protected variable, that only applied on protected branch. I mean to say if you use protected variable on unprotected branch it will not recognize the variable thus failed to recognize it.
I managed to fix it with the help of guys from the ##aws irc channel
The Problem
I generated a PKCS#1 key format instead of a PKCS#8 format.
The PKCS#1 is represented as:
-----BEGIN RSA PRIVATE KEY-----
BASE64 ENCODED DATA
-----END RSA PRIVATE KEY-----
The PKCS#8 is represented as:
-----BEGIN PRIVATE KEY-----
BASE64 ENCODED DATA
-----END PRIVATE KEY-----
Solution
I simply copied the PRIVATE KEY and converted it here https://decoder.link/rsa_converter
You can also see a better elucidation here Differences between "BEGIN RSA PRIVATE KEY" and "BEGIN PRIVATE KEY"
Edited
As indicated below, it is not a good idea to use websites to do the conversion. Especially when your private key is likely being
sent to their servers. Instead, do the conversion locally as indicated here
by #csgeek
I have create a Dart HTTP(s) server for deploying files. I can have it run the https with a self signed cert. But how do you import a .crt properly from someone for example GoDaddy properly?
So after a long struggle I have finally succeeded in importing a certificate from GoDaddy properly into Darts HttpServer bindSecure.
In order to pull this off, first you must merge your key and the certificate from GoDaddy together.
This can be done using a variation of this:
openssl pkcs12 -export -in website_cert.crt -inkey website_key.key -out website.p12 -name Name-Of-Cert -passout pass:SECRET
After...
pk12util -i website.p12 -d 'sql:./' -W SECRET
You should now see the cert with the Name-Of-Cert value, (If you have a password on the db, apply the appropriate flags)
certutil -L -d 'sql:./'
Now, verify
certutil -V -u V -d 'sql:./' -n "Name-Of-Cert"
Credit to: https://stomp.colorado.edu/blog/blog/2010/06/04/on-setting-up-mod_nss/
Trying to follow the instructions on github for Generating SSH Keys for windows.
I run ssh-keygen -t rsa -C "my#email.com", enter passphrase and it appears the SSH key is generated correctly.
However, when trying to "Add SSH Key" on GitHub it gives me the error
Key is invalid. It must begin with 'ssh-rsa' or 'ssh-dss'. Check that you're copying the public half of the key
The public key generated by Windows looks like this:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, my#email.com"
*public key*
---- END SSH2 PUBLIC KEY ----
Most notably it does not begin with 'ssh-rsa' or 'ssh-dss'. I tried just copying the *public key* part and prepending 'ssh-rsa' to it but I get the same error on GitHub. Any ideas what I'm doing wrong?
Got it. The public key should look like this:
ssh-rsa *public key* my#email.com
That is:
ssh-rsa<space><public key ending with ==><space><email address>
In Linux,after executing the above command,(xyz.pub) file will be generated in the directory you are working on.
Then if you do a " cat xyz.pub ", you will get your public key which has "ssh-rsa" in the beginning.
Now,you need to copy paste the displayed text in your GitHub Account.
Hope this will probably solve the issue.
And in windows,I think you should edit the file in NotePad++
GitHub generates two files: one with no type, and one .pub. You need the second one with the .pub extension, that file will already have the pattern:
ssh-rsa <key> <email>
If it doesn't have this pattern, you may be looking at the wrong file.
After the Git Bash steps, I went through the steps successfully. A pub file was generated in the Drive:\Users<YOUR DIR>.ssh\
Open the file with notepad, copied and pasted into https://github.com/settings/keys. That's it!
I'm trying to convert a P12 file to a PEM file. When I execute the command, the terminal asks me for three things:
P12 passphrase (I type it in, hit enter)
PEM passphrase (type it in, hit enter)
PEM passphrase confirm (type it in, hit enter)
I know I can execute a sudo command all in one shot by using the following:
echo sudopassword | sudo rm -rf /file.p12;
How can I add all three values in one shot? Thanks
Can you explain what these P12 files are? I found this link which deals with the conversion of pkcs12 Cert/key files to .PEM format using openssl. (http://gridsite.org)
Key to the answer is:
Use -passin file:... and -passout file:... for unattended processing
It's my guess that you will have to specify the -passin file:P12passphrase and -passout file PEMpassphrase options for this case.
This little test confirms how an input passphrase can be specified through a file:<...> parameter. This helps to hide such phrases from any over the shoulder attacks. Don't forget to restrict access to such files. Even though it's a common feature of most openssl commands, it's not explicitly mentioned and it is key to the original question. The full list of options is below.
$ openssl pkcs12 -passin file:P12phrase
Can't open file P12phrase
Error getting passwords
(I leave it to the OP to construct the full command.)
Below are all supported options for the pkcs12 subcommand:
$ openssl pkcs12 help
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don't output anything, just verify.
-nomacver don't verify MAC.
-nocerts don't output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don't output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-nodes don't encrypt private keys
-noiter don't use encryption iteration
-maciter use MAC iteration
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
It's unlikely that these commands are reading from stdin. It's more likely that they're reading directly from the terminal. This allows them to set a mode that doesn't echo the password to the screen. Try echoing your input to /dev/tty.
Beyond that, you'll need to use something like expect / pexect to control these. Those projects were build specifically for this purpose.
Openssl has a -stdin optoin to read its input from stdin. This works:
tmp=`mktemp`
cat > $tmp <<EOF
$1
EOF
cat $tmp | openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
I've used cat and a here-document to avoid putting the password on the commandline.
I used openssl pkcs12 -in Certificates.p12 -out sampleCore.pem -nodes and it was working for me.
Have you tried just echoing three lines? It would probably work
echo $'P12 passphrase\nPEM passphrase\nPEM passphrase confirm' | cmd
Although I feel I must point out that echoing passwords like this is highly insecure. Not only does the password end up in your bash history file, but it's also visible to anyone else on the system who runs ps.