Reputation: 85
How to securely encrypt secrets over Github Webhooks?
I have a service running on a server that updates and restarts itself whenever I push new code to the repository using Github Webhooks. It has access to a bunch of databases, and the credentials for those databases are hard coded into a config file. I want to encrypt the config file and only decrypt it into memory when the service starts.
Since I have the service being started, it's looking like the encryption key will need to exist on the web server, which defeats the point of encrypting the file in the first place.
Can I use some authentication property of Github as the encryption key or in some other way pass a key to the server that isn't saved to disk? How should this file be secured?
Upvotes: 3
Views: 541
Answers (1)
Reputation: 1324248
How should this file be secured?
Not by GitHub or anything Git related.
You need either:
- an external service (like hashicorp/vault)
- or a plateform able to distribute a secret securely (like a docker secret)
But GitHub itself only hosts repo, it does not manage secrets.
A GitHub webhook is just a callback, meaning there mush be a service listening to that callback.
Upvotes: 2
Related Questions
- How to set Secret for github webhook in jenkins
- Github Secrets are not really secured, how to secure secrets permanently
- How to create a GitHub repository secret /encrypt it using bash on Ubuntu?
- GitHub store files encrypted
- How can I setup webhook secret on Ubuntu webhook commad?
- Github Webhooks secret with AWS API Gateway
- GitHub Webhook Secret Never Validates
- Why enterprise github can't deliver payload to webhook with ssl secured?
- API key encryption for Github?
- Github encrypts data of push and pulls?