ZenChair / aws-ops-assistant

AWS Ops Assistant
0 stars 0 forks source link

Setup CI/CD environment #1

Closed ryu1kn closed 7 years ago

ryu1kn commented 7 years ago

Possible options:

Code repo CI CD
GitHub TravisCI TravisCI
GitHub CodePipeline CodeDeploy
CodeCommit CodePipeline CodeDeploy

We want to make the code public as much as possible; so decided to go with the 1st option as long as we can be securely deploy our code changes to AWS

ryu1kn commented 7 years ago

Happened to find this blog on travis. Just make sure you're not making a silly mistake when you encrypt env vars.

ryu1kn commented 7 years ago

Travis encrypts your secret files with AES256. cf Encrypting Files

...which is not practical to crack with brute-force attack at the moment.

AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.

https://en.wikipedia.org/wiki/Brute-force_attack

ryu1kn commented 7 years ago

Although file encryption is done with AES256, the key needs to be put in the repo encrypted with RSA public key. So it really depends on how secure the RSA encryption is.

You can use the ssh key you generated but currently this is only available on private repository: https://docs.travis-ci.com/user/private-dependencies/#User-Key

ryu1kn commented 7 years ago

You can get your repo's public key

$ travis pubkey > pubkey_rsa.pub
$ cat pubkey_rsa.pub
ssh-rsa AAAAB3N...

Follow the great instruction of this post, How do I get the RSA bit length with the pubkey and openssl?,

$ cat pubkey_rsa.pub | cut -c9-85 | openssl base64 -d | od -t x1

You'll get 00 00 02 01 for The length in bytes of the modulus part. In decimal notation, this is:

$ node -p "0x0201"
513

So, in bit, this is (513-1) * 8 = 4096 bit. Considering that now it is recommended to use the modulus length longer than 1024 bit for RSA, 4096 bit is far safer.

So, it's alright to put sensitive data encrypted with the public key travis generated.

ryu1kn commented 7 years ago

Done with 86057c77d04845e08bb97939f6e3eb6f1292bbb3.