Encrypt your credentials

Keep your passwords, access keys and other secrets private

If you haven't done so, you should have a look at our Introduction to encryption in ElectricSheep.IO.

You can use a GPG keypair to encrypt informations which you will want to put into your Sheepfile and keep them private. This way you may place your Sheepfile under version control, even in a public repository, without compromising your credentials.

How it works

ElectricSheep.IO relies on GPG to encrypt and decrypt secrets using public key cryptography. Public key cryptography involves a public key and a private key. You use the public key to encrypt secrets while your ElectricSheep.io installation use its private key to decrypt them at runtime.

Setup

Prerequisites

GPG should be installed on the target system.

Generate a GPG keypair

The first step is to generate and export a keypair. You'll then deploy the private key to the server running ElectricSheep.IO, and use the public key to encrypt credentials. To generate a GPG keypair:

gpg --gen-key

🚧

Passphrases

At the time of speaking, ES.io does not support passphrases so you should use a blank one.

You'll be asked to provide arbitrary values for "Real name" (e.g. "ElectricSheep.IO") and email (e.g. "[email protected]"). GPG defaults for other parameters are secure, so feel free to use them.

Remember to write down the email address you provided as it will be used to export the keys during the next step.

Export the keys

Use the email provided in the previous step as the key identifier and export the keys to a specific (and secure) location:

# Export the public key (replace </path/to> with the actual path)
gpg  --batch --armor --output </path/to>/electric_sheep.public.gpg.asc --export [email protected]
# Export the private key (replace </path/to> with the actual path)
gpg  --batch --armor --output </path/to>/electric_sheep.private.gpg.asc --export-secret-key [email protected]

Store a copy of your keys in a safe place and place the private key in a secure location on the server hosting ES.IO. Distributing the public key does not put you at risk, so you may communicate it to your teammates or event make it available somewhere on the Web.

Using the keys

ElectricSheep.IO provides the encrypt command to encrypt private information using a GPG public key:

# Replace </path/to> with the actual path to the public key
electric_sheep encrypt -k </path/to>/electric_sheep.public.gpg.asc "PASSWORD"

The command outputs the encrypted data so that you may use it as the argument of the encrypted function in your Sheepfile. You'll also have to make ES.IO aware of the location of the private key using the decrypt verb:

# Replace </path/to> with the actual key location
decrypt with: "</path/to>/electric_sheep.private.gpg.asc"

job "mysql-backup" do
  resource "database", name: "my-db", host: "db-host"
  remotely as: "operator" do
    mysql_dump user: "user", password: encrypted("hQEMA5gb42cxCFIzAQf+Phn+Y/z+SLroDX0/d0Qg6YinauaKEODUvnHwxxns3LCwCY2/YWQdP076AlX2o8zU/0/hDXUksakCFlRn+kYL3amT8yNbcApwo6Z6pDLtYCWEp1M0lx0N9vVYvdUF5/R9nh1eT5zJqOIsVmFau4V4WeJ/V67zXNrd3nXWoZpMH+HlO1qo+vL9p2hDfm/zIYDaZI2SJ90zZbwsfpYbjgirVjuHtYVN2FCti3k1k2dc5fmzzA6WE82w7rnLlv6sV3wSo3xsChgSdj1JJw0kkJ8XV0gYuvT/IGgQEIQiwSVQzwhXPdJGaPXnZ+P3UpIMXQQqq52QF+BkZvkbs5nCqI+EqNJDAXVen691DvgJjHp4cIunZKJC9H3EWftw8XcMORQjqlokPkRw9ZJn3X58WN7x4M9mC1o+Fp2VPhFv/Qpeju8GZ9d9Zw===bYzA")
  end
end

πŸ“˜

Output format of the encrypt command

By default, ES.IO removes the PGP headers and carriage returns from the GPG output so it fits on a single line. If you prefer a standard ASCII-armored output, set the --standard-armor option and use heredoc in your Sheepfile.

See the Command Line Reference for all options of the encrypt command.