search

dwyl / learn-environment-variables

πŸ“Learn how to use Environment Variables to keep your passwords and API keys secret. πŸ”
GNU General Public License v2.0
200 stars 90 forks source link

Multi-line Environment Variables e.g: RSA Private Keys #17

Open nelsonic opened 6 years ago

nelsonic commented 6 years ago

One of our Apps github-backup requires the use of an RSA Private Key as an environment variable: image

e.g: private-key

simply copy-pasting the key from the .pem into an .env file or attempting to export it in the terminal e.g:

export PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA04up8hoqzS1+
...
l48DlnUtMdMrWvBlRFPzU+hU9wDhb3F0CATQdvYo2mhzyUs8B1ZSQz2Vy==
-----END RSA PRIVATE KEY-----

Does not work ... because of the line breaks.

I did a bit of googling but did not find a workable solution ... e.g: https://stackoverflow.com/questions/43082918/how-to-sett-multiline-rsa-private-key-environment-variable-for-aws-elastic-beans

image

Error:

-----END RSA PRIVATE KEY-----': not a valid identifier

followed the instructions in: http://blog.vawter.com/2016/02/10/Create-an-Environment-Variable-from-a-Private-Key Created a file called keytoenvar.sh with the following lines:

#!/usr/bin/env bash
file=$2
name=$1
export $name="$(awk 'BEGIN{}{out=out$0"\n"}END{print out}' $file| sed 's/\n$//')"

image then ran the following command:

 source keytoenvar.sh PRIVATE_KEY ./gitbu.2018-03-23.private-key.pem

That works but it seems like a "long-winded" approach ... πŸ€”

Does anyone know of a simpler way of doing this? (I'm trying to make it as "beginner friendly" as possible...)

@SimonLab / @Cleop relates to GitBu environment variables specifically the GitHub App PRIVATE_KEY

nelsonic commented 6 years ago

Created a StackOverflow question: https://stackoverflow.com/questions/49457787/how-to-export-a-multi-line-environment-variable-in-bash-terminal-e-g-rsa-privat So whoever answers can get some "points". πŸ…

curioustushar commented 6 years ago

@nelsonic Try

export the key

export test_key=`cat ~/.ssh/test.pem`

test.sh

#!/bin/bash

echo $test_key;

Hope it works, if you are satisfied i will post on SO and gain some points :wink:

nelsonic commented 6 years ago

Hi @cse-tushar, thank you so much for sharing your thoughts/solution! πŸ₯‡

That is a nicer solution than requiring a keytoenvar.sh file (listed above)

export PRIVATE_KEY=`cat ./gitbu.2018-03-23.private-key.pem`

If you post it on StackOverflow I will up-vote.

Feel free to include the following in your answer:

If you want to save the key to an .env file with the rest of your environment variables, all you needed to do is "wrap" the private key string in single quotes in the .env file ... e.g:

export HELLO_WORLD='-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA04up8hoqzS1+APIB0RhjXyObwHQnOzhAk5Bd7mhkSbPkyhP1
...
iWlX9HNavcydATJc1f0DpzF0u4zY8PY24RVoW8vk+bJANPp1o2IAkeajCaF3w9nf
q/SyqAWVmvwYuIhDiHDaV2A==
-----END RSA PRIVATE KEY-----'

So the following command will work:

echo "export PRIVATE_KEY='`cat ./gitbu.2018-03-23.private-key.pem`'" >> .env

Followed by:

source .env

Now the key will be in your .env file and when ever you source .env it will be exported.

Exclude below this point, it's only for "reference" ...

I thought that the problem of including the private key string in the .env file was the new lines ... so I went down the "rabbit hole" of trying to use "sed" to replace new lines with \n in the .pem file:

echo "export test_key=\"`sed -E 's/$/\\\n/g' ./gitbu.2018-03-23.private-key.pem`\"" >> .env

https://stackoverflow.com/questions/38672680/replace-newlines-with-literal-n and http://www.grymoire.com/Unix/Sed.html But I realised that it was "overkill" and the single-quote solution did the trick.

curioustushar commented 6 years ago

@nelsonic awesome bro :) awww sed is a real magician but it overkills sometimes.

typelogic commented 5 years ago

I did not like the 1 .pem file, and then another .sh file approach. There should be only 1 unified file containing both private key and script code. Answer is here

markhu commented 5 years ago

There is a simple answer. Just surround the multi-line literal value with quotes:

export PRIVATE_KEY='-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA04up8hoqzS1+
...
l48DlnUtMdMrWvBlRFPzU+hU9wDhb3F0CATQdvYo2mhzyUs8B1ZSQz2Vy==
-----END RSA PRIVATE KEY-----
'

PR https://github.com/dwyl/github-backup/pull/134

ideallical commented 4 years ago

I ended up replacing \n with a few characters that I could then replace with \n again on reading from the .env file.

something like:

.env
-----

PEM_KEY=-----BEGIN PRIVATE KEY-----||n||MIGTAgsdsd.......wdwIBAQQgKjv4uZPMlEhmZEcJ||n||3l/W8AIWAS32SOdwClwsygCgYIKfdAA....hDcKJgl||n||a0Ydale+vtqCpR.....vH7+CsdsID8||n||fn21...5u||n||-----END PRIVATE KEY-----||n||
settings.py
-----------

SOCIAL_SECRET = env.str("PEM_KEY").replace("||n||", "\n")
LikeCarter commented 3 years ago

I'll add that a more elegant fool-proof way is to encode the env var as base64 and then decode it when you access it.

const base64 = process.env.GITHUB_PRIVATE_KEY
const privateKey = Buffer.from(base64, 'base64')
cesperian commented 2 years ago

@LikeCarter this is the best answer i've seen so far. Seems to works perfectly. Thanks for mentioning it!...

ivolkoff commented 7 months ago

u can try this:

makefile

...
include .env
export

export KAFKA_CERTIFICATE=`cat certificates/WinCAG2.crt`

...

run: 
    go build -o ./bin/ gitlab.com/abc/def/cmd/mycode
    KAFKA_CERTIFICATE=$(KAFKA_CERTIFICATE) ./bin/mycode