`encrypt-file` cannot be used for multiple files #239

Closed
BanzaiMan opened this Issue Oct 20, 2014 · 8 comments

Comments

Projects
None yet
7 participants
@BanzaiMan
Member

BanzaiMan commented Oct 20, 2014

It seems impossible to use encrypt-file on multiple files.

One can run the command multiple times on different files, but the later invocation overwrites the secure environment variables, invalidating the earlier encryptions.

I suspect -K and -iv flags are meant to overcome this, but it fails as follows:

$ travis encrypt-file --skip-version-check -K 7b758bbf041361268b192d816d60ec84907106015402f31fdc5ae165fdce0979 -iv 7aaf728695ac967003d5345d9be63924 foo1                                                        
travis: version unknown

@BanzaiMan BanzaiMan added bug cli labels Oct 20, 2014

@rkh

This comment has been minimized.

Show comment
Hide comment
@rkh

rkh Oct 28, 2014

Member

I don't know where the "version unknown" is coming from. -K and -iv should not be used in the normal workflow, even for multiple files.

Each file should have its own set of variables (that's why there's a hash in the var name). Do you have an example for this failing?

Member

rkh commented Oct 28, 2014

I don't know where the "version unknown" is coming from. -K and -iv should not be used in the normal workflow, even for multiple files.

Each file should have its own set of variables (that's why there's a hash in the var name). Do you have an example for this failing?

@mfornasa

This comment has been minimized.

Show comment
Hide comment

+1

@chris-redekop

This comment has been minimized.

Show comment
Hide comment
@rayshan

This comment has been minimized.

Show comment
Hide comment
@rayshan

rayshan Nov 17, 2014

+1

Here's an example of encrypting multiple files failing:
https://travis-ci.org/rayshan/ga-extractor/builds/41199310

Note that I ran encrypt-file multiple times, every time seem to generate a new key / iv pair seen from the -p flag. On Travis CI only 1 pair of key / iv is saved.

rayshan commented Nov 17, 2014

+1

Here's an example of encrypting multiple files failing:
https://travis-ci.org/rayshan/ga-extractor/builds/41199310

Note that I ran encrypt-file multiple times, every time seem to generate a new key / iv pair seen from the -p flag. On Travis CI only 1 pair of key / iv is saved.

@grahamc

This comment has been minimized.

Show comment
Hide comment

grahamc commented Nov 25, 2014

+1

@pirog

This comment has been minimized.

Show comment
Hide comment

pirog commented Dec 3, 2014

+1

@travis-ci travis-ci locked and limited conversation to collaborators Dec 4, 2014

@BanzaiMan

This comment has been minimized.

Show comment
Hide comment
@BanzaiMan

BanzaiMan Jan 8, 2015

Member

I don't think we can pull the decrypted key and iv values once they are uploaded.

Workaround

Create an archive of sensitive files, and encrypt this archive. In your before_install section, you'd decrypt it, and expand the archive.

$ tar cvf secrets.tar foo bar
$ travis encrypt-file secrets.tar
$ vi .travis.yml
$ git add secrets.tar.enc .travis.yml
$ git commit -m 'use secret archive'
$ git push
before_install:
  - openssl aes-256-cbc -K $encrypted_5880cf525281_key -iv $encrypted_5880cf525281_iv -in secrets.tar.enc -out secrets.tar -d
  - tar xvf secrets.tar

The management might be a little cumbersome still.

Member

BanzaiMan commented Jan 8, 2015

I don't think we can pull the decrypted key and iv values once they are uploaded.

Workaround

Create an archive of sensitive files, and encrypt this archive. In your before_install section, you'd decrypt it, and expand the archive.

$ tar cvf secrets.tar foo bar
$ travis encrypt-file secrets.tar
$ vi .travis.yml
$ git add secrets.tar.enc .travis.yml
$ git commit -m 'use secret archive'
$ git push
before_install:
  - openssl aes-256-cbc -K $encrypted_5880cf525281_key -iv $encrypted_5880cf525281_iv -in secrets.tar.enc -out secrets.tar -d
  - tar xvf secrets.tar

The management might be a little cumbersome still.

@BanzaiMan

This comment has been minimized.

Show comment
Hide comment

@BanzaiMan BanzaiMan closed this Jan 8, 2015

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.