24

I have .travis.yml with some secure (encrypted) env variables. Now I need to descrypt those variables to use them in different project.

Is there easy way of doing this (except triggering a commit and printing them in console output)?

robd
  • 9,646
  • 5
  • 40
  • 59
user606521
  • 14,486
  • 30
  • 113
  • 204

3 Answers3

33

You can't decrypt locally from what I understand but you can recover the key/values. By nature, they have to be decrypted to be used during the build process.

  1. Go to your last build of your current project.
  2. Select "Debug Build"
  3. SSH into the instance using the provided user and host ***********@to2.tmate.io
  4. Once in the remote shell, run env.

This will print all of the environment variables so you will have to dig a little for your secure ones but they will be there.

Daniel Smith
  • 1,044
  • 10
  • 16
  • 1
    More information about Travis CI debug builds: https://docs.travis-ci.com/user/running-build-in-debug-mode/ – hertzsprung Jun 24 '17 at 13:20
  • 2
    5. you can directly use decrypt command you have in your `.travis.yml` to reveal your secrets. commands such as `openssl aes-256-cbc -K $encrypted_..._key -iv $encrypted_..._iv -in secrets.tar.enc -out secrets.tar -d` – ‌‌R‌‌‌. Sep 02 '17 at 09:26
  • Thanks Daniel and @Rahman for pointing out a new possibiliy (although I have not quite figured out the "decrypt command" mentioned by Rahman yet - hopefully he would explain more, possibly as a separated answer). Nonetheless, do you folks happen to know whether your method still applies to retrieve an [encrypted deployment password](https://docs.travis-ci.com/user/deployment/pypi/) using [this way](https://docs.travis-ci.com/user/encryption-keys/#notifications-example), which means, the plain text does not exist in an environment variable so that you can not use `env`to get it, can you? – RayLuo Sep 04 '18 at 20:29
  • 1
    Rahmans example appears to be related to encrypted files. You probably just want to decrypt a value in the travis file. It should still work through. I don't know enough about openssl to tell you how to do this. I doubt my method will work for your case. – Daniel Smith Sep 05 '18 at 21:10
20

I don't think you can decrypt it. Public key is used to encrypt the data and it can only be decrypted with the private key which travis doesn't provide.

evgeny.myasishchev
  • 4,141
  • 1
  • 20
  • 15
9

Daniel's answer here would probably work, but it relies on the Debug Mode of Travis CI, which is disabled for public repositories by default, due to security concerns.

There is actually another way to do it. It is inspired by, and simplified from this blog post "RECOVER LOST TRAVISCI VARIABLES – TWO WAYS".

Some explanation first:

  • Why is it possible? Because Travis-CI would have to decrypt it into plain text and set it as an environment variable, for it to work on their machine. That is your chance to recover it.
  • Yet echo $SECRET would NOT reveal it from console log, because Travis-CI scans all the stdout and filter that particular value. (Duh.) That's not a bad thing at all, because you won't want your recovered secret shown in the console log available to the world anyway. The solution is to encrypt it with another KNOWN_SECRET, with the help of a command line tool ccrypt which you would need to install.
  • Lastly, you need another tool to encode the encrypted secret, for it to be show as normal characters in console log. Command line tool base64 comes in handy, as it is already available on Travis CI's build machines, and in your local git bash (if you are using git on Windows) or in your shell (if you are using Linux).

TL;DR: As easy as 1-2-3!

  1. Add or modify your .travis.yml to contain the following content.
sudo: required
install:
  - sudo apt-get install -y ccrypt
  - echo $UNKNOWN_SECRET > info.txt
  - ccencrypt info.txt -K $KNOWN_SECRET
  - cat info.txt.cpt | base64

  1. Commit the above change to an experimental branch, and trigger a Travis CI run. Browser the console log, to find that line of output, say, A1B2C3D4....

  2. On your local machine, run this:

echo `A1B2C3D4...` | base64 -d > info.txt.cpt
sudo apt-get install -y ccrypt  # If you haven't already
ccrypt –d info.txt.cpt
# When prompt, type in the KNOWN_SECRET, and then you will have info.txt in plain text
RayLuo
  • 17,257
  • 6
  • 88
  • 73
  • 1
    Thanks! While the accepted answer is not wrong, this is a way to bypass it, so in my opinion this should really be the accepted answer. – GManz Dec 28 '20 at 14:23
  • 1
    Thank you, that's an appropriate way how to deal with sneaking lost secrets from Travis – Hamza Aug 07 '21 at 14:35
  • I tried this method... basically I have provided known_secret as "Test" which is string and unknown_secret is the one which I want to find out...but when I decrypt it using command ccrypt –d info.txt.cpt..,,it creates info.txt.cpt.cpt which has some random characters... and no info.txt is created – harshal bhavsar Oct 06 '21 at 11:53
  • @harshalbhavsar Sounds like your usage of `ccrypt` was somehow incorrect and then you encrypted it twice? You can have some trial run locally to get it right first. – RayLuo Oct 25 '21 at 06:01
  • In my case, the keys and values are encrypted, which makes this seem impossible. I wish there was a way to just see the decrypted keys. – rushmarrs Jan 25 '23 at 15:54