Secure files

Sometimes you need to store sensitive information in your repositories.

The Secure-file utility can be used for encrypting/decrypting arbitrary files using the Rijndael method. It enables you to safely store sensitive data (SSH keys, certificates, etc.) in the source control repository and then use it during the build.

High-level scenario of using this utility in the AppVeyor CI environment:

  • Encrypt the file on the development machine.
  • Commit the encrypted file to source control.
  • Place the “secret” into a project environment variable.
  • Decrypt the file during the build.

System requirements:

  • Windows or Linux
  • .NET Core Runtime 2.0

Encrypting file on development machine

Download secure-file utility by running the following command on development machine:

  • Windows
  • Linux
iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/master/install.ps1'))

curl -sflL 'https://raw.githubusercontent.com/appveyor/secure-file/master/install.sh' | bash -e -

To encrypt a file:

  • Windows
  • Linux
appveyor-tools\secure-file -encrypt C:\path-to\filename-to-encrypt.ext -secret MYSECRET1234

./appveyor-tools/secure-file -encrypt /path-to/filename-to-encrypt.ext -secret MYSECRET1234

Encrypted file will be saved in the same directory as the input file, but with the .enc extension added. You can optionally specify output file name with the -out parameter. Also, when encrypting the application will output the salt generated to the console so it can be stored.

After that commit the encrypted file to source control.

Decrypting files during an AppVeyor build

Put the “secret” value and the Base64 encoded “salt” value to the project Environment tab of the project settings or in the appveyor.yml as a secure variable:

environment:
  my_secret:
    secure: BSNfEghh/l4KAC3jAcwAjgTibl6UHcZ08ppSFBieQ8E=
  my_salt:
    secure: H/jNH0Wk6Vs7yLu2BDGCve/8VpHrK54Ry7WTPRqf0OKPeFMPY/qxAD0HDY/2lECY6xOS40LozjLgtLkAZdPdHg==

To decrypt the file, add these lines to the install section of your project config:

install:
  - ps: iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/appveyor/secure-file/master/install.ps1'))
  - cmd: appveyor-tools\secure-file -decrypt path-to\encrypted-filename.ext.enc -secret %my_secret% -salt %my_salt%
  - sh: ./appveyor-tools/secure-file -decrypt path-to/encrypted-filename.ext.enc -secret $my_secret -salt $my_salt

The line starting with cmd: will run on Windows-based images only and the line starting with sh: on Linux.

Note that file won’t be decrypted on Pull Request builds as secure variables are not set during PR build.

Did you know that you can edit this page on GitHub and send us a Pull Request?