If you haven't done so, you should have a look at our Introduction to encryption in ElectricSheep.IO.
You can use a GPG keypair to encrypt informations which you will want to put into your Sheepfile and keep them private. This way you may place your Sheepfile under version control, even in a public repository, without compromising your credentials.
ElectricSheep.IO relies on GPG to encrypt and decrypt secrets using public key cryptography. Public key cryptography involves a public key and a private key. You use the public key to encrypt secrets while your ElectricSheep.io installation use its private key to decrypt them at runtime.
GPG should be installed on the target system.
The first step is to generate and export a keypair. You'll then deploy the private key to the server running ElectricSheep.IO, and use the public key to encrypt credentials. To generate a GPG keypair:
At the time of speaking, ES.io does not support passphrases so you should use a blank one.
You'll be asked to provide arbitrary values for "Real name" (e.g. "ElectricSheep.IO") and email (e.g. "[email protected]"). GPG defaults for other parameters are secure, so feel free to use them.
Remember to write down the email address you provided as it will be used to export the keys during the next step.
Use the email provided in the previous step as the key identifier and export the keys to a specific (and secure) location:
# Export the public key (replace </path/to> with the actual path) gpg --batch --armor --output </path/to>/electric_sheep.public.gpg.asc --export [email protected] # Export the private key (replace </path/to> with the actual path) gpg --batch --armor --output </path/to>/electric_sheep.private.gpg.asc --export-secret-key [email protected]
Store a copy of your keys in a safe place and place the private key in a secure location on the server hosting ES.IO. Distributing the public key does not put you at risk, so you may communicate it to your teammates or event make it available somewhere on the Web.
ElectricSheep.IO provides the
encrypt command to encrypt private information using a GPG public key:
# Replace </path/to> with the actual path to the public key electric_sheep encrypt -k </path/to>/electric_sheep.public.gpg.asc "PASSWORD"
The command outputs the encrypted data so that you may use it as the argument of the
encrypted function in your Sheepfile. You'll also have to make ES.IO aware of the location of the private key using the
# Replace </path/to> with the actual key location decrypt with: "</path/to>/electric_sheep.private.gpg.asc" job "mysql-backup" do resource "database", name: "my-db", host: "db-host" remotely as: "operator" do mysql_dump user: "user", password: encrypted("hQEMA5gb42cxCFIzAQf+Phn+Y/z+SLroDX0/d0Qg6YinauaKEODUvnHwxxns3LCwCY2/YWQdP076AlX2o8zU/0/hDXUksakCFlRn+kYL3amT8yNbcApwo6Z6pDLtYCWEp1M0lx0N9vVYvdUF5/R9nh1eT5zJqOIsVmFau4V4WeJ/V67zXNrd3nXWoZpMH+HlO1qo+vL9p2hDfm/zIYDaZI2SJ90zZbwsfpYbjgirVjuHtYVN2FCti3k1k2dc5fmzzA6WE82w7rnLlv6sV3wSo3xsChgSdj1JJw0kkJ8XV0gYuvT/IGgQEIQiwSVQzwhXPdJGaPXnZ+P3UpIMXQQqq52QF+BkZvkbs5nCqI+EqNJDAXVen691DvgJjHp4cIunZKJC9H3EWftw8XcMORQjqlokPkRw9ZJn3X58WN7x4M9mC1o+Fp2VPhFv/Qpeju8GZ9d9Zw===bYzA") end end
Output format of the
By default, ES.IO removes the PGP headers and carriage returns from the GPG output so it fits on a single line. If you prefer a standard ASCII-armored output, set the
--standard-armoroption and use heredoc in your Sheepfile.
See the Command Line Reference for all options of the
Updated less than a minute ago