Secure bosh-workspace with git-crypt

The due to the nature of a boshworkspace it will contain sensitive data (like keys, certificates and passwords). To prevent data leaks it is recommended to encrypt this data before pushing it, to for example github.

In this blogpost we will go over how to setup your boshworkspace repository to store encrypted versions of your deployment manifests, keys and optionally microbosh deployment files. The tools we will be using are: git-crypt and keybase.io (optional).

Setup

First we will have to install git-crypt:

# OSX
brew install git-crypt

# Ubuntu
sudo apt-get install libssl-dev
cd /tmp && wget https://github.com/AGWA/git-crypt/archive/0.5.0.zip
unzip 0.5.0.zip && cd git-crypt-0.5.0/
make && sudo make install

Next create an empty boshworkspace repository:

git init demo-boshworkspace && cd demo-boshworkspace
mkdir deployments templates
echo -e 'source "https://rubygems.org"\n\ngem "bosh-workspace"' > Gemfile
echo -e '.stemcells*\n.deployments*\n.releases*\n.stubs*\n' > .gitignore
git add . && git commit -m "Initial commit"

The next step is to intialize git-crypt which will generate a symmetric key for encrypting your files. We will also specify which files to encrypt via .gitattributes:

git-crypt init
for i in "deployments/*.yml" "ssh/*" "microbosh/**/micro_bosh.yml"
do
  echo "$i filter=git-crypt diff=git-crypt" >> .gitattributes
done
git add .gitattributes && git commit -m "Added git-crypt filters"

Distributing keys can be cumbersome which is why we will use keybase.io and gpg to encrypt the symmetric key:

curl https://keybase.io/rkoster/key.asc | gpg --import
git-crypt add-gpg-user rkoster

The above will first download the public gpg key for user rkoster (you should use your own public gpg key). And then uses this public key to create a encrypted version of the symmetric key and stores it in .git-crypt/keys/default/0/*.gpg.

This encrypted key can be decrypted by running git-crypt unlock.

Deploy

So now that we have a boshworkspace repo configured for encryption lets explore the deployment side of things. For this demo we will create a foo.yml deployment which we will decrypt on the inception/bastion server.

First lets create the foo deployment (for demonstration purposes we will use an invalid manifest):

echo -e "---\nname: foo" > deployments/foo.yml
git add deployments/foo.yml && git commit -m "Initial foo deployment"

After running the above commands you should have an encrypted deployment file:

> git-crypt status
not encrypted: .git-crypt/.gitattributes
not encrypted: .git-crypt/keys/default/0/5865815F708529816343DCC1F6A8BA05268F177D.gpg
not encrypted: .gitattributes
not encrypted: .gitignore
not encrypted: Gemfile
    encrypted: deployments/foo.yml

On our deployment server we don’t want to use our private gpg key, since this envrionment could be shared with other BOSH operators. So we will have to export the symmetric key of this repo:

git-crypt export-key /tmp/key

Now lets clone this repo to a deployment envrionment (for demo purposes just an other folder on the same machine):

git clone ./ ../deploy-demo-boshworkspace
cd ../deploy-demo-boshworkspace

Our deployment file is currently still encrypted:

> cat deployments/foo.yml
GITCRYPTa���F��9\Y+��p�j-%

So all that is left is unlocking the cloned repo with the exported key:

git-crypt unlock /tmp/key

Now the deployment file is decrypted:

> cat deployments/foo.yml
---
name: foo

This concludes the demonstration of how to use git-crypt in combination with bosh-workspace. We also used keybase.io for retreiving a users public gpg key. Keybase was chosen because the ease of use. There are however plenty of other solutions for distributing public gpg user keys.

Spread the word

twitter icon facebook icon linkedin icon