How I can decrypt secure env variables?

You can't decrypt locally from what I understand but you can recover the key/values. By nature, they have to be decrypted to be used during the build process.

  1. Go to your last build of your current project.
  2. Select "Debug Build"
  3. SSH into the instance using the provided user and host ***********@to2.tmate.io
  4. Once in the remote shell, run env.

This will print all of the environment variables so you will have to dig a little for your secure ones but they will be there.


I don't think you can decrypt it. Public key is used to encrypt the data and it can only be decrypted with the private key which travis doesn't provide.


Daniel's answer here would probably work, but it relies on the Debug Mode of Travis CI, which is disabled for public repositories by default, due to security concerns.

There is actually another way to do it. It is inspired by, and simplified from this blog post "RECOVER LOST TRAVISCI VARIABLES – TWO WAYS".

Some explanation first:

  • Why is it possible? Because Travis-CI would have to decrypt it into plain text and set it as an environment variable, for it to work on their machine. That is your chance to recover it.
  • Yet echo $SECRET would NOT reveal it from console log, because Travis-CI scans all the stdout and filter that particular value. (Duh.) That's not a bad thing at all, because you won't want your recovered secret shown in the console log available to the world anyway. The solution is to encrypt it with another KNOWN_SECRET, with the help of a command line tool ccrypt which you would need to install.
  • Lastly, you need another tool to encode the encrypted secret, for it to be show as normal characters in console log. Command line tool base64 comes in handy, as it is already available on Travis CI's build machines, and in your local git bash (if you are using git on Windows) or in your shell (if you are using Linux).

TL;DR: As easy as 1-2-3!

  1. Add or modify your .travis.yml to contain the following content.
sudo: required
install:
  - sudo apt-get install -y ccrypt
  - echo $UNKNOWN_SECRET > info.txt
  - ccencrypt info.txt -K $KNOWN_SECRET
  - cat info.txt.cpt | base64

  1. Commit the above change to an experimental branch, and trigger a Travis CI run. Browser the console log, to find that line of output, say, A1B2C3D4....

  2. On your local machine, run this:

echo `A1B2C3D4...` | base64 -d > info.txt.cpt
sudo apt-get install -y ccrypt  # If you haven't already
ccrypt –d info.txt.cpt
# When prompt, type in the KNOWN_SECRET, and then you will have info.txt in plain text

Tags:

Travis Ci

Recent Posts