Using secret api keys on travis-ci

Question

I'd like to use travis-ci for one of my projects.

The project is an API wrapper, so many of the tests rely on the use of secret API keys. To test locally, I just store them as environment variables. What's a safe way to use those keys on Travis?

Odi · Accepted Answer · 2017-03-09T21:50:38.797

101

Travis has a feature to encrypt environment variables ("Encrypting environment variables"). This can be used to protect your secret API keys. I've successfully used this for my Heroku API key.

All you have to do is install the travis gem, encrypt the string you want and add the encrypted string in your .travis.yml. The encryption is only valid for one repository. The travis command gets your public key for your repo and can then decrypt the string during the build.

gem install --user travis
travis encrypt MY_SECRET_ENV=super_secret -r my_username/my_repo

This gives you the following output:

Please add the following to your .travis.yml file:

  secure: "OrEeqU0z6GJdC6Sx/XI7AMiQ8NM9GwPpZkVDq6cBHcD6OlSppkSwm6JvopTR\newLDTdtbk/dxKurUzwTeRbplIEe9DiyVDCzEiJGfgfq7woh+GRo+q6+UIWLE\n3nowpI9AzXt7iBhoKhV9lJ1MROrnn4DnlKxAEUlHTDi4Wk8Ei/g="

edited Mar 09 '17 at 21:50

answered Oct 08 '12 at 08:55

Odi

6,916
3
34
52

13

Don't forget to document what variables you are using, and why, because once encrypted them only someone with the original keys can recover them. – jerseyboy Jul 20 '13 at 15:06
3

With the option `--add env.global` to the `travis` command, it will amend your .travis.yml automatically. – Thomas Sep 30 '15 at 10:59
What if I were using a config.py to store all my API keys and using ConfigParser() to parse them? Does this mean that I have to change my code to look for these unique values? – lordlabakdas Feb 23 '17 at 19:08
@lordlabakdas I don't know what you mean with "unique values", but if you would use a config.py to store all your API keys, then this file would be in your repository in order for Travis to access it. And it's generally a bad idea to store sensitive information like passwords or API keys in the repository. That's why there is this mechanism of encrypting environment variables. – Odi Mar 09 '17 at 21:56
how can i use these encrypted variables – mosaad Jun 29 '17 at 20:52
@mosaad you can use these values as normal environment variables (i.e. access them in your code), Travis decrypts them at the beginning of each build. – Odi Jul 01 '17 at 02:53
Anyone with the ability to trigger your build can access these keys decrypted. For instance, you could use the "debug build" feature to ssh into the build machine and simply echo the "secure" environment variable. – carlin.scott Apr 05 '18 at 23:49
@carlin.scott yes, but this is not true for [pull requests from forks](https://docs.travis-ci.com/user/pull-requests#Pull-Requests-and-Security-Restrictions). And if someone has write access to a repository, you should trust them to have this information. But certainly a good point! – Odi Apr 07 '18 at 06:26
@Odi I am thinking this is safe for public git repos also (exposing encrypted keys). Is this true? – Ram Idavalapati Aug 20 '18 at 05:10
1

@RamIdavalapati: since the secrets are encrypted, this is considered safe, yes. – Odi Sep 09 '18 at 13:18
If TravisCI was hacked, can that person obtain the `SECRET_ENV` ? – Ramesh-X Nov 11 '19 at 08:28
1

@Ramesh-X: yes since this encryption is for TravisCI. If someone has control over TravisCI, they could obtain SECRET_ENV – Odi Nov 12 '19 at 09:59
The travis gem is very difficult to install (at least on MacOS). Is there a "manual" alternative? – Michael Goerz Dec 26 '19 at 03:55
1

@Michael Goerz: Yes, simply [add the env variables via the Travis web interface](https://docs.travis-ci.com/user/environment-variables/#defining-variables-in-repository-settings) – Odi Dec 27 '19 at 05:57

score 7 · Answer 2 · answered Sep 25 '17 at 11:30

7

according to this in travis ci documentation it's said that :

If you have both the Heroku and Travis CI command line clients installed, you can get your key, encrypt it and add it to your .travis.yml by running the following command from your project directory:

travis encrypt $(heroku auth:token) --add deploy.api_key

refer to the following tutorial to install heroku client according to your OS

answered Sep 25 '17 at 11:30

Espoir Murhabazi

5,973
5
42
73

I just want to verify: the key it adds to your file is safe to upload to version control, right? – vapurrmaid Mar 03 '18 at 23:46

score 5 · Answer 3 · answered Apr 06 '17 at 19:09

5

You can also define secret variables in repository settings:

Variables defined in repository settings are the same for all builds, and when you restart an old build, it uses the latest values. These variables are not automatically available to forks.

Define variables in the Repository Settings that:

differ per repository.

contain sensitive data, such as third-party credentials.

To define variables in Repository Settings, make sure you’re logged in, navigate to the repository in question, choose “Settings” from the cog menu, and click on “Add new variable” in the “Environment Variables” section.

answered Apr 06 '17 at 19:09

pomber

23,132
10
81
94

1

Didn't understand how to create *secret* variables. When googling that, results explain how to encrypt. – XedinUnknown Aug 12 '17 at 16:44
@XedinUnknown This can be used for secret variables. From the link: "By default, the value of these new environment variables is hidden from the export line in the logs. This corresponds to the behavior of encrypted variables in your .travis.yml. The variables are stored encrypted in our systems, and get decrypted when the build script is generated." – bmaupin Jan 25 '18 at 18:28

score 0 · Answer 4 · answered Feb 18 '12 at 11:13

0

Use a different set of API keys and do it the same way. Your travis box gets setup for your build run and then completely torn down again after your build has finished. You have root access to your box during the build, so you can do whatever you want with it.

answered Feb 18 '12 at 11:13

markus

40,136
23
97
142

4

What do you mean by "do it the same way"? I don't really like the idea of storing API keys in the repo itself (i.e. in the .travis.yml file), but there doesn't seem to be another way to configure environment variables on travis. – BM5k Jul 11 '12 at 05:15
The env variable will get encrypted with a public key, so only the owner of the secret key can decrypt it. You should not use an important token. In my case I used the one which travis already had for GitHub. This worked quite well and from within github I can revoke that token whenever I feel travis be a risk. Having the encrypted token in my repo doesnt make me sleep bad. https://github.com/ecki/GCViewer/blob/topic-ciupload/.travis.yml – eckes Feb 19 '13 at 01:17

Using secret api keys on travis-ci

4 Answers4

Linked