Jul 02, 2015 Secure bosh-workspace with git-crypt
The due to the nature of a boshworkspace it will contain sensitive data (like keys, certificates and passwords). To prevent data leaks it is recommended to encrypt this data before pushing it, to for example github.
In this blogpost we will go over how to setup your boshworkspace repository to store encrypted versions of your deployment manifests, keys and optionally microbosh deployment files. The tools we will be using are: git-crypt and keybase.io (optional).
First we will have to install
# OSX brew install git-crypt # Ubuntu sudo apt-get install libssl-dev cd /tmp && wget https://github.com/AGWA/git-crypt/archive/0.5.0.zip unzip 0.5.0.zip && cd git-crypt-0.5.0/ make && sudo make install
Next create an empty boshworkspace repository:
git init demo-boshworkspace && cd demo-boshworkspace mkdir deployments templates echo -e 'source "https://rubygems.org"\n\ngem "bosh-workspace"' > Gemfile echo -e '.stemcells*\n.deployments*\n.releases*\n.stubs*\n' > .gitignore git add . && git commit -m "Initial commit"
The next step is to intialize
git-crypt which will generate a symmetric key for encrypting your files. We will also specify which files to encrypt via
git-crypt init for i in "deployments/*.yml" "ssh/*" "microbosh/**/micro_bosh.yml" do echo "$i filter=git-crypt diff=git-crypt" >> .gitattributes done git add .gitattributes && git commit -m "Added git-crypt filters"
Distributing keys can be cumbersome which is why we will use keybase.io and
gpg to encrypt the symmetric key:
curl https://keybase.io/rkoster/key.asc | gpg --import git-crypt add-gpg-user rkoster
The above will first download the public gpg key for user
rkoster (you should use your own public gpg key). And then uses this public key to create a encrypted version of the symmetric key and stores it in
This encrypted key can be decrypted by running
So now that we have a boshworkspace repo configured for encryption lets explore the deployment side of things. For this demo we will create a
foo.yml deployment which we will decrypt on the inception/bastion server.
First lets create the foo deployment (for demonstration purposes we will use an invalid manifest):
echo -e "---\nname: foo" > deployments/foo.yml git add deployments/foo.yml && git commit -m "Initial foo deployment"
After running the above commands you should have an encrypted deployment file:
> git-crypt status not encrypted: .git-crypt/.gitattributes not encrypted: .git-crypt/keys/default/0/5865815F708529816343DCC1F6A8BA05268F177D.gpg not encrypted: .gitattributes not encrypted: .gitignore not encrypted: Gemfile encrypted: deployments/foo.yml
On our deployment server we don't want to use our private gpg key, since this envrionment could be shared with other BOSH operators. So we will have to export the symmetric key of this repo:
git-crypt export-key /tmp/key
Now lets clone this repo to a deployment envrionment (for demo purposes just an other folder on the same machine):
git clone ./ ../deploy-demo-boshworkspace cd ../deploy-demo-boshworkspace
Our deployment file is currently still encrypted:
> cat deployments/foo.yml GITCRYPTa���F��9\Y+��p�j-%
So all that is left is unlocking the cloned repo with the exported key:
git-crypt unlock /tmp/key
Now the deployment file is decrypted:
> cat deployments/foo.yml --- name: foo
This concludes the demonstration of how to use
git-crypt in combination with bosh-workspace. We also used keybase.io for retreiving a users public gpg key. Keybase was chosen because the ease of use. There are however plenty of other solutions for distributing public gpg user keys.