In my Jenkins pipeline I am using the Jenkins server's gpg2 executable to decrypt passwords for our Openshift / Kubernetes deploys. I want to replicate this on my workstation somehow.
The Jenkins groovy script supplied by our platform ops team originally handled gpg encrypted files but as developers we found the whole development process really error-prone and adapted the script to work decrypt the passwords from string variables instead of files.
This is what I'm doing on Jenkins, where the passphrase $pw is from Jenkins credentials:
readProperties(file: fileIn).each {
key, value -> B: {
def plainText = ''
if (value) {
echo "encrypted $key is [$value]"
plainText = sh(
script: """echo "$value" |
base64 -d -w 0 |
gpg2 --batch --decrypt --passphrase $pw |
base64 -w 0 """,
returnStdout: true
)
}
sh "echo ' $key: $plainText' >> $fileOut"
}
}
The tricky bit is to replace the sh command.
I've looked at bouncycastle but can't work out if there is a way to feed in just a encrypted string rather than a whole file. I could write the values to files and work on them, but I'd rather chew on a mouthful of scarab beatles.
It occurred to me that there might be an easier way to decrypt strings than gpg but I haven't found one - the main requirement being that it can be implemented on Jenkins.
I looked at How to encrypt a string/stream with bouncycastle pgp without starting with a file but I'm hoping a cleaner approach now exists.
