Closed ryu1kn closed 7 years ago
Happened to find this blog on travis. Just make sure you're not making a silly mistake when you encrypt env vars.
Travis encrypts your secret files with AES256. cf Encrypting Files
...which is not practical to crack with brute-force attack at the moment.
AES permits the use of 256-bit keys. Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.
Although file encryption is done with AES256, the key needs to be put in the repo encrypted with RSA public key. So it really depends on how secure the RSA encryption is.
You can use the ssh key you generated but currently this is only available on private repository: https://docs.travis-ci.com/user/private-dependencies/#User-Key
You can get your repo's public key
$ travis pubkey > pubkey_rsa.pub
$ cat pubkey_rsa.pub
ssh-rsa AAAAB3N...
Follow the great instruction of this post, How do I get the RSA bit length with the pubkey and openssl?,
$ cat pubkey_rsa.pub | cut -c9-85 | openssl base64 -d | od -t x1
You'll get 00 00 02 01
for The length in bytes of the modulus part. In decimal notation, this is:
$ node -p "0x0201"
513
So, in bit, this is (513-1) * 8 = 4096 bit. Considering that now it is recommended to use the modulus length longer than 1024 bit for RSA, 4096 bit is far safer.
So, it's alright to put sensitive data encrypted with the public key travis generated.
Done with 86057c77d04845e08bb97939f6e3eb6f1292bbb3.
experiment-src
directory
src
. It’s defined in the Makefiles3
to elasticbeanstalk
infrastructure
directory
Possible options:
We want to make the code public as much as possible; so decided to go with the 1st option as long as we can be securely deploy our code changes to AWS