| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 1 | :title: Encryption |
| 2 | |
| 3 | .. _encryption: |
| 4 | |
| 5 | Encryption |
| 6 | ========== |
| 7 | |
| 8 | Zuul supports storing encrypted data directly in the git repositories |
| 9 | of projects it operates on. If you have a job which requires private |
| 10 | information in order to run (e.g., credentials to interact with a |
| 11 | third-party service) those credentials can be stored along with the |
| 12 | job definition. |
| 13 | |
| 14 | Each project in Zuul has its own automatically generated RSA keypair |
| 15 | which can be used by anyone to encrypt a secret and only Zuul is able |
| 16 | to decrypt it. Zuul serves each project's public key using its |
| 17 | build-in webserver. They can be fetched at the path |
| 18 | ``/keys/<source>/<project>.pub`` where ``<project>`` is the name of a |
| 19 | project and ``<source>`` is the name of that project's connection in |
| 20 | the main Zuul configuration file. |
| 21 | |
| 22 | Zuul currently supports one encryption scheme, PKCS#1 with OAEP, which |
| James E. Blair | 9118c01 | 2017-08-03 11:19:16 -0700 | [diff] [blame] | 23 | can not store secrets longer than the 3760 bits (derived from the key |
| 24 | length of 4096 bits minus 336 bits of overhead). The padding used by |
| 25 | this scheme ensures that someone examining the encrypted data can not |
| 26 | determine the length of the plaintext version of the data, except to |
| 27 | know that it is not longer than 3760 bits (or some multiple thereof). |
| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 28 | |
| 29 | In the config files themselves, Zuul uses an extensible method of |
| 30 | specifying the encryption scheme used for a secret so that other |
| 31 | schemes may be added later. To specify a secret, use the |
| 32 | ``!encrypted/pkcs1-oaep`` YAML tag along with the base64 encoded |
| James E. Blair | 9118c01 | 2017-08-03 11:19:16 -0700 | [diff] [blame] | 33 | value. For example: |
| 34 | |
| 35 | .. code-block:: yaml |
| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 36 | |
| 37 | - secret: |
| 38 | name: test_secret |
| 39 | data: |
| 40 | password: !encrypted/pkcs1-oaep | |
| James E. Blair | 9118c01 | 2017-08-03 11:19:16 -0700 | [diff] [blame] | 41 | BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi |
| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 42 | ... |
| 43 | |
| James E. Blair | 9118c01 | 2017-08-03 11:19:16 -0700 | [diff] [blame] | 44 | To support secrets longer than 3760 bits, the value after the |
| 45 | encryption tag may be a list rather than a scalar. For example: |
| 46 | |
| 47 | .. code-block:: yaml |
| 48 | |
| 49 | - secret: |
| 50 | name: long_secret |
| 51 | data: |
| 52 | password: !encrypted/pkcs1-oaep |
| 53 | - er1UXNOD3OqtsRJaP0Wvaqiqx0ZY2zzRt6V9vqIsRaz1R5C4/AEtIad/DERZHwk3Nk+KV |
| 54 | ... |
| 55 | - HdWDS9lCBaBJnhMsm/O9tpzCq+GKRELpRzUwVgU5k822uBwhZemeSrUOLQ8hQ7q/vVHln |
| 56 | ... |
| 57 | |
| James E. Blair | eff5a9d | 2017-06-20 00:00:37 -0700 | [diff] [blame] | 58 | Zuul provides a standalone script to make encrypting values easy; it |
| 59 | can be found at `tools/encrypt_secret.py` in the Zuul source |
| 60 | directory. |
| 61 | |
| 62 | .. program-output:: python3 ../../tools/encrypt_secret.py --help |
| 63 | |