When using Travis CI to help do CI(Continuous Integration)-friendly and CD(Continuous Deployment), it is inevitable that you will include some sensitive data to the Travis CI config file (variables, like API key, APP ID, etc.) or to the project folder (file, like certificate, profile, etc.).

In order to help protect them, Travis CLI provides two convenient commands travis encrypt (link) and travis encrypt-file (link) to help encrypt the variables and files.## Encrypt Variables

The encrypted variable by travis encrypt can only be included in .travis.yml file. The CMD is like:

travis encrypt "FOO=bar" --add

The part FOO is the variable that can be accessed throughout the Travis running session by $FOO and the part bar is the value. Adding --add option will automatically add the encrypted piece into your .travis.yml file. Here is an Terminal example.

NOTE: NOT recommend to use --add since this step will re-format your .travis.yml file which will DELETE all of your nice comments!!!

$ travis encrypt "TRAVIS_ENCRYPTION_KEY=4b4379055f7cfafdsfadsfadsfds85536efa32fcc47055d3296b7cd68c763912" 
Please add the following to your .travis.yml file:

  secure: "zBK3zhn8m/3BihXJFmxp/rKQvgMfqWIWseZsZuecGThN2xLLSTWX6QvNeBObgtgVCG1+9PQKUzWdVeyJ/BlvhVhVG/DBFXibQw1I1vSVsW789Y2FEZceIvgGvUgKieT1u8FdVaBx8Ouo1lFJfIluoML6tvp/JJAqzgXk5MFRx/KLTvf2aF8P1v9TUF3jHdasdasdasdsadasdasdasdasdasfdsfXeWBhxvFDqcPqeTK3ALaA1tEMKVDDZlcbkw07kuAiWS7B+QPSIj12zFUGgqZ96jXnUQOZM/Rex4R9bUIX/2i4fztjSdkC/UJN/vyVJlFRWn/HFWC3fE+ZwDc62KE4ch2PnarTeliFQ0J0fSsxjfNAfLAQ59TU3InTfCXioEvgSQJ2SgapRddLWEXQDQBvVWwbOKHSO81V5HEeYPnkGr7hGSmGWz6eANHYjz8A0UO+6/oT0z5kcifhXXq/NgP6CRUh4SZLbXfs3LuKoY+lYYYJr+dAKU5+V0IcxWqcfW5/PJ8Va5ifGeOwwU4Ao5R69yl27fGdBFztoqj2BCysPX8rKyLb5dc3XuxpcuGr81VYWxEOKP/KTebqTItSTXwXmafBKvFsgM8zD8MzLcBdo0p85Vlr/D3fQyXGs1lMdXwIz4VH7dCRPq5dEZaGIxKL+logfQd4wwz4sjJjoeAWg="

Pro Tip: You can add it automatically by running with --add.

Encrypt File

The CMS travis encrypt-file is more like a wrapper of openssl CMD. A following command:

travis encrypt-file -K "fookey" --iv "foodiv"  scripts/certs/dist.cer

is equivalent to this one by openssl:

openssl aes-256-cbc -K "fookey" --iv "foodiv" -in scripts/certs/dist.cer -out scripts/certs/dist.cer.enc

NOTE: The above openssl command does not have -a option which is to do Base64 encoding / decoding. In other words, when you use openssl to decrypt the file in bash script, be sure to NOT add -a if you were using travis encrypt-file to encrypt the file.

How to Generate the Key and IV

The key needs to be 64 characters long and IV needs to be 32 characters long. And both of them must be a valid hex number. Here is the way to help generate then by ruby.

# Key
ruby -rsecurerandom -e 'puts SecureRandom.hex(32).chomp'
# IV
ruby -rsecurerandom -e 'puts SecureRandom.hex(16).chomp'

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>