Partial File Encryption

Question

Partial File Encryption

oxr463 opened this issue 3 years ago · comments

foo: 'this is a plain-text string'
bar: 'ABC5OwLpwB7L6Ca....' # this is encrypted

See also: https://docs.travis-ci.com/user/encryption-keys

Tom Limoncelli · Answer 1 · Tue Jan 26 2021 22:18:07 GMT+0800 (China Standard Time)

You're looking to encrypt just specific lines or strings in a file?

blackbox is just a wrapper around gpg. If gpg can't do something then blackbox can't do it either.

My recommendation is to use a templating language. For example, our puppet installation has a file called blackbox.yaml which is encrypted and includes keys that are used in templates which aren't encrypted.
See https://github.com/StackExchange/blackbox/blob/master/README.md#how-to-use-the-secrets-with-puppet

Does that help?

Lucas Ramage · Answer 2 · Tue Jan 26 2021 23:12:36 GMT+0800 (China Standard Time)

You're looking to encrypt just specific lines or strings in a file?

Yes, specific lines or strings in a file.

blackbox is just a wrapper around gpg. If gpg can't do something then blackbox can't do it either.

I can easily encrypt a string via gpg using the following command:

echo "this is a plain-text string" | gpg --encrypt -r $EMAIL_ADDRESS | base64

I can then insert this into the file manually. I am hoping to find a way to automate this via blackbox (this is a feature request).

My recommendation is to use a templating language. For example, our puppet installation has a file called blackbox.yaml which is encrypted and includes keys that are used in templates which aren't encrypted.
See https://github.com/StackExchange/blackbox/blob/master/README.md#how-to-use-the-secrets-with-puppet

Does that help?

Yes, I am familiar with that. I was the one who shared the Ansible example in the README.md file.

The specific use-case I opened this issue for involves docker-compose.yml files and buildbot configuration files. It wouldn't make sense to use Ansible or Puppet in these scenarios, but I may be able to use mustache templates if I really had to.

Tom Limoncelli · Answer 3 · Fri Jan 29 2021 21:16:39 GMT+0800 (China Standard Time)

Ah, yes. Sorry for not remembering that. I appreciate the Ansible example!

How would this work in practice? Would people create a file called foo.txt.encrypted which blackbox would then decrypt to be foo.txt?

Lucas Ramage · Answer 4 · Tue Feb 02 2021 04:10:25 GMT+0800 (China Standard Time)

How would this work in practice? Would people create a file called foo.txt.encrypted which blackbox would then decrypt to be foo.txt?

I'm thinking of something that scans each file listed in .blackbox/blackbox-files.txt. If there is no foo.txt.gpg found, then it tries to find base64-encoded strings in foo.txt instead.

Now that I am thinking this through, this might call for either a new blackbox command or a helper script. Also, it seems like it would only work on structured data such as YAML or JSON.

Tom Limoncelli · Answer 5 · Tue Feb 02 2021 04:27:19 GMT+0800 (China Standard Time)

That's an interesting idea.

It would be difficult to tell if foo.yaml is in the encrypted or decrypted state. If it was encrypted, you could tell because you'd find encrypted strings. However if it was decrypted, how would you know which strings to encrypt?

It would be better to have a new file name. Perhaps foo.yaml.strings would decrypt to foo.yaml. The benefit would be that a non-privileged person could view foo.yaml.strings, but only admins could update it. Is that an improvement?

Maybe we should zoom out and ask what problem are you trying to solve?

Lucas Ramage · Answer 6 · Tue Feb 02 2021 05:50:00 GMT+0800 (China Standard Time)

Maybe we should zoom out and ask what problem are you trying to solve?

I would like to encrypt strings inside of a docker-compose.yml file. As a workaround, I can use dummy values for secrets in my docker-compose.yml file, and then provide a docker-compose.override.yml file with the real secrets (and encrypt it via blackbox). But I was hoping to stream-line the process.

Tom Limoncelli · Answer 7 · Tue Feb 02 2021 06:01:21 GMT+0800 (China Standard Time)

Thank you for that explanation.

A few more questions if you don't mind:

How many people are you collaborating with? (how many are admins, how many non-admins?)
(I assume right now you are encrypting the entire file as a work-around). What problems would be removed by being able to encrypt specific strings instead of the entire file? (For example, are their non-admins that need to view/change certain parts of a file?)

Thanks!

Tom

Josh Peters · Answer 8 · Tue Feb 02 2021 06:04:34 GMT+0800 (China Standard Time)

As you mentioned docker-compose.yml, may I suggest you encrypt a .env file and refer to its contents using Docker Compose's support for .env files?

Lucas Ramage · Answer 9 · Tue Feb 02 2021 06:20:28 GMT+0800 (China Standard Time)

As you mentioned docker-compose.yml, may I suggest you encrypt a .env file and refer to its contents using Docker Compose's support for .env files?

We actually already have a .env file. Maybe I will just do that instead.

Arisu Tachibana · Answer 10 · Fri Feb 12 2021 03:41:01 GMT+0800 (China Standard Time)

GKernelCI is currently using https://github.com/GKernelCI/Gdocker/blob/master/sparser.py for adding variables to docker-compose.yml
if the file secrets.yml is present sparser will take the secrets from there. if is not present sparser will use the secrets from secrets.yml.example and auto generating the passwords