Clever Geek Handbook

I store production keys directly in the Git repository

image



As time went on, CI / CD tools changed, the number of projects, environments and key storage locations multiplied, the level of anxiety that a key somewhere out of date increased. Well, that's enough already ... Can I just leave the keys in the repository? It turns out, yes, you can. And this is an order of magnitude more convenient than anything I have done before.



Let's skip the heartbreaking story of the problems we all face when it comes to all kinds of secrets in projects and get straight to the point.



Objectives



  • , /
  • , ,
  • CI ,
  • .




: encrypt.sh decrypt.sh.



encrypt.sh :



#!/bin/bash

# sh encrypt.sh <./path/to/file.js> <environment> <password>

LOCAL_IP_REMOVED='Y'

if [[ $2 == 'local' ]]; then
  read -p "You are encrypting local environment. \
  Did you remove your local ip address from configs? Y/n" LOCAL_IP_REMOVED
fi

if [[ $LOCAL_IP_REMOVED != 'Y' ]]; then
  echo "Well, go on and remove it then! Aborting encryiption"
  exit 1
fi

echo "encrypting $1"
openssl enc -aes-128-cbc -a -salt -pass pass:$3 -in $1 -out $1.${2}-enc -md md5
echo "done"


decrypt.sh :



#!/bin/bash
# sh decrypt.sh <environment> <password>

echo "decrypting $1 environment"

for file in $(find . -not -path "*/node_modules/*" -name "*.$1-enc")
do
    echo "decrypting $file to ${file//.$1-enc}"
    openssl enc -aes-128-cbc -a -d -salt -pass pass:$2 -in $file -out "${file//.$1-enc}" -md md5
done

if [[ $1 == 'local' ]]; then
  LOCAL_IP=`ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'`
  echo "Also replacing localhost with your local machine ip: $LOCAL_IP"
  # optionally, add logic to replace "localhost" with your machine IP
  sed -i ''  "s|localhost|$LOCAL_IP|g" './src/env.js'
fi


, . .env, env.js .



.gitignore.



encrypt.sh:



sh encrypt.sh ./src/env.js <environment> <very_secure_password>


. ./src/env.js.production-enc.



, :





I advise you to start with three environments: local, staging, production.



The peculiarity of the localenvironment is that the script decrypt.shcan also replace localhostin your configs with the local IP of your computer. This is necessary, for example, in mobile development, when it is necessary for the smartphone to connect to a local server.



Thanks for attention!



More articles:


All Articles