The due to the nature of a boshworkspace it will contain sensitive data (like keys, certificates and passwords). To prevent data leaks it is recommended to encrypt this data before pushing it, to for example github.

In this blogpost we will go over how to setup your boshworkspace repository to store encrypted versions of your deployment manifests, keys and optionally microbosh deployment files. The tools we will be using are: git-crypt and keybase.io (optional).

Setup

First we will have to install git-crypt:

# OSX
brew install git-crypt

# Ubuntu
sudo apt-get install libssl-dev  
cd /tmp && wget https://github.com/AGWA/git-crypt/archive/0.5.0.zip  
unzip 0.5.0.zip && cd git-crypt-0.5.0/  
make && sudo make install  

Next create an empty boshworkspace repository:

git init demo-boshworkspace && cd demo-boshworkspace  
mkdir deployments templates  
echo -e 'source "https://rubygems.org"\n\ngem "bosh-workspace"' > Gemfile  
echo -e '.stemcells*\n.deployments*\n.releases*\n.stubs*\n' > .gitignore  
git add . && git commit -m "Initial commit"

The next step is to intialize git-crypt which will generate a symmetric key for encrypting your files. We will also specify which files to encrypt via .gitattributes:

git-crypt init  
for i in "deployments/*.yml" "ssh/*" "microbosh/**/micro_bosh.yml"  
do  
  echo "$i filter=git-crypt diff=git-crypt" >> .gitattributes
done  
git add .gitattributes && git commit -m "Added git-crypt filters"

Distributing keys can be cumbersome which is why we will use keybase.io and gpg to encrypt the symmetric key:

curl https://keybase.io/rkoster/key.asc | gpg --import  
git-crypt add-gpg-user rkoster  

The above will first download the public gpg key for user rkoster (you should use your own public gpg key). And then uses this public key to create a encrypted version of the symmetric key and stores it in .git-crypt/keys/default/0/*.gpg.

This encrypted key can be decrypted by running git-crypt unlock.

Deploy

So now that we have a boshworkspace repo configured for encryption lets explore the deployment side of things. For this demo we will create a foo.yml deployment which we will decrypt on the inception/bastion server.

First lets create the foo deployment (for demonstration purposes we will use an invalid manifest):

echo -e "---\nname: foo" > deployments/foo.yml  
git add deployments/foo.yml && git commit -m "Initial foo deployment"  

After running the above commands you should have an encrypted deployment file:

> git-crypt status
not encrypted: .git-crypt/.gitattributes  
not encrypted: .git-crypt/keys/default/0/5865815F708529816343DCC1F6A8BA05268F177D.gpg  
not encrypted: .gitattributes  
not encrypted: .gitignore  
not encrypted: Gemfile  
    encrypted: deployments/foo.yml

On our deployment server we don't want to use our private gpg key, since this envrionment could be shared with other BOSH operators. So we will have to export the symmetric key of this repo:

git-crypt export-key /tmp/key  

Now lets clone this repo to a deployment envrionment (for demo purposes just an other folder on the same machine):

git clone ./ ../deploy-demo-boshworkspace  
cd ../deploy-demo-boshworkspace  

Our deployment file is currently still encrypted:

> cat deployments/foo.yml
GITCRYPTa���F��9\Y+��p�j-%  

So all that is left is unlocking the cloned repo with the exported key:

git-crypt unlock /tmp/key  

Now the deployment file is decrypted:

> cat deployments/foo.yml
---
name: foo  

This concludes the demonstration of how to use git-crypt in combination with bosh-workspace. We also used keybase.io for retreiving a users public gpg key. Keybase was chosen because the ease of use. There are however plenty of other solutions for distributing public gpg user keys.