Skip to main content

Using encrypted files in your builds

Abstract

You can use encrypted files on Bitrise, easily. After encrypting the file on your computer, upload it to the Generic File Storage and use the Decrypt file Step or your own custom decrypting solution to decrypt it when you need it.

You can use encrypted files on Bitrise, easily and securely. All you need to do is encrypt the file on your computer, upload it to the Generic File Storage and use the Decrypt file Step or your own custom decrypting solution to decrypt it when you need it.

GPG encryption

Please note that the Decrypt file Step only decrypts files encrypted with GPG. If you use other encryption software, you will not be able to decrypt files using the Step. You can, of course, set up your own decryption solution in a Script Step.

Encrypting your files

In this example, we’ll use the pwgen password generator tool and GPG as the encryption software to encrypt a file.

  1. Open a Terminal/Command Line.

  2. Create a 32 character passphrase for encryption.

    Keep the passphrase

    You will need this passphrase to decrypt the file on Bitrise.

      pwgen -s 32 1
  3. Encrypt your file. In this example, the file is called my_secret_file.

    gpg -c my_secret_file

    Optionally, you can encrypt your file(s) in a non-interactive way.

    gpg --batch --passphrase <passphrase> -c my_secret_file

Decrypting and downloading your files during a build

After you successfully encrypted a file, you need to upload it to Bitrise and you need to be able to decrypt it during the build. In this procedure, we'll use the Decrypt file Step to decrypt the file.

GPG encryption

Please note that the Decrypt file Step only decrypts files encrypted with GPG. If you use other encryption software, you will not be able to decrypt files using the Step. You can, of course, set up your own decryption solution in a Script Step.

  1. Log in to Bitrise and select Bitrise CI on the left, then select your project.

  2. Click the Workflows button on the main page.

    opening-workflow-editor.png
  3. Go to the Secrets tab, and add your decryption passphrase as a Secret.

  4. Upload the file to Bitrise

  5. Copy the Environment Variable (Env Var) under the name of the uploaded file. This Env Var stores the download URL for the file.

  6. Go to the Workflows tab.

  7. Open the Workflow Editor.

  8. Add the Decrypt file Step to your Workflow.

  9. Paste the Env Var of the file to the Encrypted file path input.

  10. In the Output file path input, specify the path where you want to place the decrypted file. Subsequent Steps will be able to access the file at this path.

    Using an Env Var as the input value

    You can store the filepath in an App Env Var instead of specifying it directly for the input. That way you can refer to the file through the Env Var in other Steps, you won’t have to specify the path every time.

    For example, if you store the path in the BITRISEIO_MY_FILE_LOCAL_PATH Env Var, you can use it as the path for the input, and also use it to access the file in every subsequent Step.

Example 1. A bitrise.yml example for decrypting files
---
format_version: '11'
default_step_lib_source: https://github.com/bitrise-io/bitrise-steplib.git
project_type: macos
workflows:
  secret:
    steps:
    - activate-ssh-key@4: {}
    - git-clone@6: {}
    - decrypt-file@0:
        inputs:
        - encrypted_file_path: "./secret.txt.gpg"
        - output_file_path: "./secret/"
        - decrypt_passphrase: "$PASSWORD_FOR_ENCRYPT"
    - deploy-to-bitrise-io@2: {}