Secrets encryption
From physical security measures in AWS data centers to read-only repository policy and sensitive data encryption, we always put special effort to make sure your code is safe and sound with our service. In this article, we will guide you through the proper steps to secure sensitive data during the configuration of your CI/CD process.
Defining private data in actions
When using certain pipeline actions in Buddy, providing sensitive data may be required. For example, the SFTP action requires access credentials to your server, such as login or password. All credentials in Buddy are:
- Salted with unique salt and encrypted
- Not displayed while the action is edited
- Returned in encrypted form by the API and the export feature
Environment variables encryption
In addition to securing sensitive data in pipeline actions, Buddy also provides encryption for environment variables. Environment variables are a great way to store fragile data, such as passwords or API keys, that you would otherwise have to keep hardcoded in your scripts.
Here's how we ensure the security of environment variables:
- Before saving, every encrypted variable is salted (unique salt) and encrypted
- The variable value isn't displayed while the action is edited
- The values of encrypted environment variables are hashed in the logs of the pipeline actions
YAML data encryption
If you manage configuration with YAML, there are two recommended ways to handle sensitive data:
- Define sensitive data in the GUI with environment variables and use variable keys instead of real values
- Encrypt the value using Buddy Encryption Tool and provide the encrypted value in the YAML file
Using encrypted variables in YAML
Here we'll show you how to define a password using encrypted variables in YAML using the example of the SFTP action.
- Open the Variables, Keys & Assets tab in your project:
Variables tab
- Add a new variable and mark it as encrypted:
Adding encrypted variable
- With the variable defined, you can now use it in the YAML file:
YAML configuration
Using encrypted variables in YAML with Buddy Encryption Tool
We shall use the same SFTP action to explain how to define a password with an encrypted value.
- Navigate to Project Settings in the left menu. Click on YAML tools and select 'Encrypt sensitive value for YAML':
Generating new encrypted value
- Provide the input value and click Encrypt. A hash will be generated that you can copy and safely use in your YAML file:
Setting new encrypted value
Sensitive data in configuration files
Configuration files often contain sensitive data. Depending on the application version they are different, which means you need to deploy them together with the app files.
Config templates
A template of such config file should be kept in the repository with keys masking the sensitive data. Next, you can use the Find & Replace action before the deployment to update the data in the template.
You should keep your configuration template in the repository. In the template instead of providing sensitive data provide keys. Then replace the data in the template just before the deployment using the Find & replace action. Such file can be safely deployed to the server:
Find and Replace action configuration
Uploading config to filesystem as static file
In some cases, you may not want to store your config in the repository, but still want to deploy it with the rest of the source files. To do this, you can manually upload the file to the filesystem as a static file:
Filesystem tab
To ensure only authorized users have access to the file’s content, you can restrict its permissions to specific users in the Permissions tab in the pipeline settings.
Last modified on January 23, 2024