Storing SSH Private Key in GitLab repository variables

Question

Using GitLab CI, I want to push production code to a remote webhost.

To connect with SSH, I am storing the key pair's private key in the variables of my GitLab repository. I've also copied the public key to the authorized keys of the server. This is (part of) my .gitlab-ci.yml.

image: ubuntu

before_script:
  # Setup SSH credentials and known host
  - which ssh-agent || ( apt-get update -y && apt-get install openssh-client -y )
  - mkdir -p ~/.ssh
  - echo "$SSH_PRIVATE" | tr -d '\r' > ~/.ssh/id_rsa
  - chmod 700 ~/.ssh/id_rsa
  - eval "$(ssh-agent -s)"
  - ssh-add ~/.ssh/id_rsa
  - echo "$SSH_KNOWN_HOSTS"
  - echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
  - chmod 644 ~/.ssh/known_hosts

This method works, but I'm questioning the security of it. Is my private key safe this way? How else can I achieve the result that I'm looking for?

EDIT: I'm particularly questioning the security of this method in a production environment.

Answer 1

The official example is in gitlab-examples/ssh-private-key

Its .gitlab-ci.yml uses a custom environment variable SSH_PRIVATE_KEY, as described in "How to simplify your smart home configuration with GitLab CI/CD / Preparing the server (and GitLab) for SSH access".

As long as that variable is masked, this should be secure enough.

---

sneaky suggests in the comments to create a pre-processing file:

cat id_rsa | base64 -w0 insert into script-part of your job in .gitlab-ci.yml:

mkdir -p ~/.ssh && echo "$SSH_PRIVATE_KEY" | \
  base64 -d > ${SSH_KEY_FILE} && chmod 0600 ${SSH_KEY_FILE}

Answer 2

I have been able to bypass this issue by encoding on origin the value and then decoding it on the fly.

On my Makefile:

KEY=$(shell base64 -w 0 private-key-file)

On .gitlab-ci.yml file:

- echo $SSH_PRIVATE_KEY | base64 -d |tr -d '\r' | ssh-add -

and then i call gitlab-runner

gitlab-runner exec docker ${build_target} --env 'SSH_PRIVATE_KEY=${KEY}'