| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 1 | :title: Encryption |
| 2 | |
| 3 | .. _encryption: |
| 4 | |
| 5 | Encryption |
| 6 | ========== |
| 7 | |
| 8 | Zuul supports storing encrypted data directly in the git repositories |
| 9 | of projects it operates on. If you have a job which requires private |
| 10 | information in order to run (e.g., credentials to interact with a |
| 11 | third-party service) those credentials can be stored along with the |
| 12 | job definition. |
| 13 | |
| 14 | Each project in Zuul has its own automatically generated RSA keypair |
| 15 | which can be used by anyone to encrypt a secret and only Zuul is able |
| 16 | to decrypt it. Zuul serves each project's public key using its |
| 17 | build-in webserver. They can be fetched at the path |
| James E. Blair | 3f42c53 | 2017-09-15 20:12:30 -0600 | [diff] [blame] | 18 | ``/<tenant>/<project>.pub`` where ``<project>`` is the canonical name |
| 19 | of a project and ``<tenant>`` is the name of a tenant with that project. |
| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 20 | |
| 21 | Zuul currently supports one encryption scheme, PKCS#1 with OAEP, which |
| James E. Blair | 9118c01 | 2017-08-03 11:19:16 -0700 | [diff] [blame] | 22 | can not store secrets longer than the 3760 bits (derived from the key |
| 23 | length of 4096 bits minus 336 bits of overhead). The padding used by |
| 24 | this scheme ensures that someone examining the encrypted data can not |
| 25 | determine the length of the plaintext version of the data, except to |
| 26 | know that it is not longer than 3760 bits (or some multiple thereof). |
| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 27 | |
| 28 | In the config files themselves, Zuul uses an extensible method of |
| 29 | specifying the encryption scheme used for a secret so that other |
| 30 | schemes may be added later. To specify a secret, use the |
| 31 | ``!encrypted/pkcs1-oaep`` YAML tag along with the base64 encoded |
| James E. Blair | 9118c01 | 2017-08-03 11:19:16 -0700 | [diff] [blame] | 32 | value. For example: |
| 33 | |
| 34 | .. code-block:: yaml |
| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 35 | |
| 36 | - secret: |
| 37 | name: test_secret |
| 38 | data: |
| 39 | password: !encrypted/pkcs1-oaep | |
| James E. Blair | 9118c01 | 2017-08-03 11:19:16 -0700 | [diff] [blame] | 40 | BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi |
| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 41 | ... |
| 42 | |
| James E. Blair | 9118c01 | 2017-08-03 11:19:16 -0700 | [diff] [blame] | 43 | To support secrets longer than 3760 bits, the value after the |
| 44 | encryption tag may be a list rather than a scalar. For example: |
| 45 | |
| 46 | .. code-block:: yaml |
| 47 | |
| 48 | - secret: |
| 49 | name: long_secret |
| 50 | data: |
| 51 | password: !encrypted/pkcs1-oaep |
| 52 | - er1UXNOD3OqtsRJaP0Wvaqiqx0ZY2zzRt6V9vqIsRaz1R5C4/AEtIad/DERZHwk3Nk+KV |
| 53 | ... |
| 54 | - HdWDS9lCBaBJnhMsm/O9tpzCq+GKRELpRzUwVgU5k822uBwhZemeSrUOLQ8hQ7q/vVHln |
| 55 | ... |
| 56 | |
| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 57 | Zuul provides a standalone script to make encrypting values easy; it |
| 58 | can be found at `tools/encrypt_secret.py` in the Zuul source |
| 59 | directory. |
| 60 | |
| 61 | .. program-output:: python3 ../../tools/encrypt_secret.py --help |
| 62 | |