基于公开GitHub仓库与Travis Encrypt的持续部署私钥安全咨询
Great question—securing secrets in a public repo is critical, and Travis CI has solid tools to handle this alongside Capistrano. Let’s break this down into two clear parts: keeping your private keys safe, and which files you should (and shouldn’t) commit to GitHub.
Securing Private Keys in Travis CI
Travis offers two primary methods to protect sensitive data like SSH private keys, so you never have to commit unencrypted secrets to your public repo.
1. Encrypted Environment Variables
This is ideal if you want to store your private key as a variable rather than a file. Here’s how it works:
- Install the Travis CLI tool if you haven’t already.
- Run the following command to encrypt your private key content and add it directly to your
.travis.yml:travis encrypt DEPLOY_PRIVATE_KEY="$(cat ~/.ssh/your_deploy_key)" --add - Alternatively, you can add the variable via the Travis web dashboard: Go to your repo’s settings, navigate to "Environment Variables", and paste the private key content there. Make sure to leave "Display value in build log" unchecked—this ensures the secret stays hidden even in build outputs.
- In your
deploy.rb, access this variable withENV['DEPLOY_PRIVATE_KEY']. You’ll need to write it to a temporary file during the build so Capistrano can use it for SSH access:set :ssh_options, { keys: ["/tmp/deploy_key"], forward_agent: false } before "deploy:starting", "deploy:create_deploy_key" namespace :deploy do task :create_deploy_key do on roles(:all) do execute "mkdir -p ~/.ssh" upload! StringIO.new(ENV['DEPLOY_PRIVATE_KEY']), "/tmp/deploy_key" execute "chmod 600 /tmp/deploy_key" end end end
2. Encrypted Private Key Files
If you prefer to work with a physical key file (instead of a variable), use Travis’s encrypted file feature:
- Run this command to encrypt your private key file:
travis encrypt-file ~/.ssh/your_deploy_key - This generates an encrypted version of your key (e.g.,
your_deploy_key.enc) and outputs a decryption command that you’ll need to add to thebefore_installsection of your.travis.yml. - Commit the encrypted
your_deploy_key.encfile to GitHub, but delete or ignore the original unencrypted key. - The decryption command uses a secure key and IV stored by Travis, so only your builds can decrypt the file during deployment.
Key Best Practices
- Use dedicated deploy keys: Create a separate SSH key pair just for deployment (not your personal key). Add the public key to your server’s
authorized_keysand restrict its permissions (e.g., no shell access) to minimize risk if it’s ever compromised. - Rotate keys regularly: Set a schedule to generate new deploy keys every few months, or immediately if you suspect a breach.
- Avoid hardcoding secrets: Never put passwords, API tokens, or private keys directly in
deploy.rbor.travis.yml—always use encrypted variables or files.
Which Files to Commit to GitHub
Let’s clarify exactly what should (and shouldn’t) go into your public repo:
Must Commit
.travis.yml: This contains your build and deployment configuration, including encrypted variables or decryption commands for encrypted files.deploy.rband Capistrano configs (e.g.,config/deploy/production.rb): Just make sure these files don’t have hardcoded secrets—useENV['VAR_NAME']for any sensitive values.- Encrypted files: Like
your_deploy_key.enc(the encrypted version of your private key).
Never Commit
- Unencrypted private keys, passwords, or API tokens: These will be exposed to anyone viewing your public repo.
config/database.yml(production credentials): Use environment variables for database connections instead, and keep the production config out of version control.- Any other sensitive files that contain production secrets or credentials.
Final Check
Before pushing your changes, run a test build on Travis to verify that the decryption works correctly and Capistrano can access your server without exposing secrets in the build logs. This will help catch any misconfigurations early.
内容的提问来源于stack exchange,提问作者user2099762
