Reputation: 331
Storing secrets and credentials securely in GitLab
I am wondering if it's possible to store credentials like passwords, tokens and keys safely in my GitLab project.
Currently there are a bunch of Java files with some passwords stored in it for testing purposes. However, I don't want to push this information on my repo due to security reasons. I tried using environment variables in the project, but they only seem to work for the .gitlab-ci.yml file.
My question is does anyone use a vault like Hashicorps or Blackbox to encrypt sensitive information?
Thanks
Upvotes: 32
Views: 52263
Answers (3)
Reputation: 1030
GitLab will soon include a function for securely storing secrets called as GitLab Secrets Manager
Upvotes: 6
Reputation: 1323753
You can check out GitLab 12.9 (March 2020) which comes with:
HashiCorp Vault GitLab CI/CD Managed Application
GitLab wants to make it easy for users to have modern secrets management. We are now offering users the ability to install Vault within a Kubernetes cluster as part of the GitLab CI managed application process.
This will support the secure management of keys, tokens, and other secrets at the project level in a Helm chart installation.
See documentation and issue.
See also GitLab 13.4 (September 2020)
For Premium/Silver only:
Use HashiCorp Vault secrets in CI jobs
In GitLab 12.10, GitLab introduced functionality for GitLab Runner to fetch and inject secrets into CI jobs. GitLab is now expanding the JWT Vault Authentication method by building a new
secretssyntax in the.gitlab-ci.ymlfile. This makes it easier for you to configure and use HashiCorp Vault with GitLab.https://about.gitlab.com/images/13_4/vault_ci.png -- Use HashiCorp Vault secrets in CI jobs
See Documentation and Issue.
Upvotes: 9
Reputation: 2748
If you are not using environment variables in GitLab, then you are asking if it is possible to store secrets in GitLab. I have not done this myself, but I found this post about it:
https://embeddedartistry.com/blog/2018/03/15/safely-storing-secrets-in-git/
The author suggests three ways of storing secrets in git:
The author was using BlackBox, but was going to migrate to git-crypt. From a quick look at it, git-crypt looks like something that I could use myself.
Upvotes: 8
Related Questions
- Vault integration with gitlab and define in gitlab-ci.yaml
- Retrieving Azure Tenant ID, Client ID and Client Secret Securely for GitLab Pipeline
- Is it safe to store credentials in github secrets?
- Gitlab integration with Hashicorp Vault
- What is the best way to use Hashicorp Vault with GitLab pipelines?
- Using secrets in GItHub workflows for private repositories
- Keep gitlab CI/CD variables secret in public repository
- Pipeline with services from password protected repository
- Is it safe to use GitLab CI «protected» variables for secrets?
- How to get gitlab secrets hash programmatically?