Skip to content

Encrypting secret files and use in jenkins

Jump to bottom
YaraMohammed edited this page May 4, 2018 · 13 revisions

Encrypting secret files and use in jenkins

This document explains how to encrypt files in a repo using gpg keys and giving jenkins access to these files 1- In jenkins instance install git-crypt and gnupg2

$ kubectl exec -it <JENKINS_POD> bash -n <NAMESPACE>
# apt-get install gnupg2
# apt-get install git-crypt

2- Make new directory to add gpg keys

# cd /
# mkdir keys

3- In your local machine generate gpg key pair for jenkins with no passphrase (if it's new instance other wise skip this step and use the existing one) gpg --gen-key

add the name and email 'jenkins' and 'jenkins@cdebase.com' (please note that this key is already created this is just an example)

4- Export the public and prive keys for jenkins user

$ gpg --list-keys
$ gpg --export -a jenkins > public.key
$ gpg --export-secret-key -a jenkins > private.key

5- Copy the exported keys to jenkins pod in the directory /keys

$ kubectl cp public.key <JENKINS_POD>:/keys -n <NAMESPACE>
$ kubectl cp private.key <JENKINS_POD>:/keys -n <NAMESPACE>

6- Import the keys in jenkins instance

$ kubectl exec -it <JENKINS_POD> bash -n <NAMESPACE>
# cd /keys 
# gpg --import public.key
# gpg --allow-secret-key-import --import private.key
# gpg --list-keys

7- Set the trust of the key

# gpg --edit-key jenkins
> trust
> 5
> y
> quit

8- Start encrypting files in a repo and use git-crypt

$ cd repo
$ git-crypt init
$ touch .gitattributes

edit the file .gitattributes and add the following line to it <SECRET_FILE_DIRECTORY> filter=git-crypt diff=git-crypt save and exit
9- Add users to the repo

$ cd repo
$ git-crypt add-gpg-user --trusted jenkins

Note: if you need to add a different user export the public key, trust it then do step 9

10- Commit and push to you branch

Encrypting secret files for users to add

1- install `

2- generate and export key In your local machine generate gpg key pair for jenkins with no passphrase (if it's new instance other wise skip this step and use the existing one) gpg --gen-key

add the name and email 'jenkins' and 'jenkins@cdebase.com' (please note that this key is already created this is just an example)

Export public key to a file

gpg --export -a YOUR_NAME > public.key

3- Edit to add user key.

Clone this wiki locally