Security is the top priority in Buddy: from physical security measures in our data centers to read-only repository policy to sensitive data encryption, we always put special effort to make sure your code is safe and sound with our service. In this article, you will learn how to properly secure sensitive data when configuring your CI/CD process.
Defining private data in actions
Some of the pipeline actions in Buddy demand providing sensitive data. For example, the SFTP action requires access credentials to your server, such as login or password. Here's what we do to keep them safe:
- They are salted with unique salt and encrypted
- They are not displayed while the action is edited
- The API and the export feature always return them in an encrypted form
Environment variables encryption
Environment variables are a great way to store fragile data, such as passwords or API keys, that you'd otherwise have to keep hardcoded in your scripts.
Variables are secured in the following ways:
- Before saving every encrypted variable is salted (unique salt) and encrypted
- The variable value isn't displayed while the action is edited
- The values of encrypted environment variables are hashed in the logs of the pipeline actions
YAML data encryption
If you manage the configuration with YAML, you should add sensitive data in one of two ways:
- Define sensitive data in the GUI with environment variables and use variable keys instead of real values
- Encrypt the value using Buddy Encryption Tool and provide the encrypted value in the YAML file
Using encrypted variables in YAML
Here we'll show you how to define a password using encrypted variables in YAML on the example of the SFTP action.
Go to 'Project Options' and switch to the Variables tab:
Add a new variable and mark it as encrypted:
With the variable defined, you can now use it in the YAML file:
Using encrypted variables in YAML with Buddy Encryption Tool
We shall use the same SFTP action show how to define a password with the encrypted value.
Go to the 'Pipelines' tab and click 'YAML helper' in the right menu. Select ‘Generate an encrypted value':
Provide the input value and click 'Encrypt'. It will produce a hash that you can copy and safely use in your YAML:
The salt which is used to encrypt the values is unique for each workspace. If you change it, you will need to change all encrypted values in your YAMLs.
The value should be changed only when you move your pipelines with the export/import option – either to another workspace, or from Cloud to the on-premises version.
Sensitive data in configuration files
Configuration files often contain sensitive data. Depending on the application version they are different, which means you need to deploy them together with the app files.
The template and the Find & Replace action
A template of such config file should be kept in the repository with keys masking the sensitive data. Next, you can use the 'Find & Replace' action before the deployment to update the data in the template.
You should keep your configuration template in the repository. In the template instead of providing sensitive data provide keys. Then replace the data in the template just before the deployment using the Find & replace action. Such file can be safely deployed to the server:
Uploading config to the filesystem as a static file
Sometimes you may not want to store your config in the repository, but still want to deploy it with the rest of the source files. To do this, you can upload such file manually to the filesystem as a static file:
Static files uploaded to the filesystem are not purged when clearing the pipeline cache.
You can read more about filesystem and static files here.