1

I would like to find a way to store encrypted file in my github repository that Heroku can decrypt on-the-fly (it's not env var but plain old .csv files).

I used git-crypt successfully on my machine but it seems that I cannot add a gpg key to heroku.

When I connect to heroku-cli and I try to create a gpg key usingheroku run gpg --gen-key I got the following error:

gpg: signing failed: Inappropriate ioctl for device

Anyhow, I'm not even sure git-crypt is the right way to go, so feel free to gave me any other alternative solution.

Kruupös
  • 5,097
  • 3
  • 27
  • 43
  • What's in the file you want to encrypt? Heroku generally recommends storing configuration, including sensitive things like API keys and database credentials, in the environment. – ChrisGPT was on strike Jun 25 '19 at 01:01
  • (And its ephemeral filesystem makes `git-crypt` a bad fit.) – ChrisGPT was on strike Jun 25 '19 at 01:01
  • @Chris plain text file like `csv`'s, and I'm already using Heroku envs vars. I do not see th problem with ephemeral filesystem and `git-crypt`. The idea is not to create new files, but for the client (Heroku) to be able to read and process them. Or Maybe there is another problem that I did not consider. – Kruupös Jun 25 '19 at 07:15
  • (a) Okay, but why do your CSVs need to be encrypted? What do they contain? I suspect there's a better solution to whatever problem you're trying to solve. (b) I've never used `git-crypt`, but it looks like you'd need to run `git-crypt unlock` on the cloned repo before building. I guess technically this could be done at build time, but you'll probably need a custom buildpack. It looks like [at least one exists](https://elements.heroku.com/buildpacks/jotes/heroku-buildpack-git-crypt). – ChrisGPT was on strike Jun 25 '19 at 12:49
  • @Chris, I already look at the buildpack you provided but the github repo linked to it no longer exists :( (a) they contain confidential information but I need to access them only once. Another idea will be to store them elsewhere on the cloud, but I figured it was simpler to having them in the repo. (b) to run `git-crypt unlock` one needs to have `git-crypt` installed and configure with a proper "gpg key" which is exactly my problem. – Kruupös Jun 25 '19 at 12:58
  • You're really avoiding telling us anything about this information and this significantly limits how much we can help. We can surmise that it's "confidential information". Is it a large amount of data that might fit better in a database? Is it a few values that could easily be put into the environment? There's a good chance this stuff doesn't belong in your repo at all. "Simpler" in one respect might be more complicated in others. And what do you hope to gain by encrypting it at rest? Would it be better to just have a private Git repo? – ChrisGPT was on strike Jun 25 '19 at 13:33
  • @Chris As for the data I'm trying to encrypt: I think it was of the topic - my question is more about how to use `git-cypt` if possible alongside Heroku. To be explicit this is a large amount of data and only a part of it will be processed and put into a database. This could not be transformed into env vars. My repo is already private but I would like to have a second security check. This is still an exploration process for me. – Kruupös Jun 25 '19 at 13:51
  • I am willing to give as much info as the community needs, please do not hesitate to ask me. – Kruupös Jun 25 '19 at 13:53
  • Okay, well, as I've said in the comments I don't know that `git-crypt` is the right tool here and there isn't a clear path for using it on Heroku, as far as I can tell. You may need to write your own buildpack. – ChrisGPT was on strike Jun 25 '19 at 13:54
  • @Chris if you use other tools I'd be happy to know about it. For now I do not use `git-crypt` at all and hope that nobody will access my private repo. – Kruupös Jun 25 '19 at 16:00

0 Answers0