blob: fdf2c5a944842c637ef0daa51b262967e3b07eca [file] [log] [blame]
James E. Blaireff5a9d2017-06-20 00:00:37 -07001:title: Encryption
2
3.. _encryption:
4
5Encryption
6==========
7
8Zuul supports storing encrypted data directly in the git repositories
9of projects it operates on. If you have a job which requires private
10information in order to run (e.g., credentials to interact with a
11third-party service) those credentials can be stored along with the
12job definition.
13
14Each project in Zuul has its own automatically generated RSA keypair
15which can be used by anyone to encrypt a secret and only Zuul is able
16to decrypt it. Zuul serves each project's public key using its
17build-in webserver. They can be fetched at the path
18``/keys/<source>/<project>.pub`` where ``<project>`` is the name of a
19project and ``<source>`` is the name of that project's connection in
20the main Zuul configuration file.
21
22Zuul currently supports one encryption scheme, PKCS#1 with OAEP, which
23can not store secrets longer than the key length, 4096 bits. The
24padding used by this scheme ensures that someone examining the
25encrypted data can not determine the length of the plaintext version
26of the data, except to know that it is not longer than 4096 bits.
27
28In the config files themselves, Zuul uses an extensible method of
29specifying the encryption scheme used for a secret so that other
30schemes may be added later. To specify a secret, use the
31``!encrypted/pkcs1-oaep`` YAML tag along with the base64 encoded
32value. For example::
33
34 - secret:
35 name: test_secret
36 data:
37 password: !encrypted/pkcs1-oaep |
38 BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi1wGZZ
39 ...
40
41Zuul provides a standalone script to make encrypting values easy; it
42can be found at `tools/encrypt_secret.py` in the Zuul source
43directory.
44
45.. program-output:: python3 ../../tools/encrypt_secret.py --help
46