Summary

Travis CI allows you to store encrypted environment variables in your .travis.yml file. When Travis CI kicks off a build the environment variables in .travis.yml are decrypted and exported. If you need to encrypt something more substantial, like a PEM file for accessing an AWS instance you can encrypt the file with a symmetric key and store the key in an encrypted.

tl;dr: Check out this gist for a shell script that wraps up these concepts.

Prerequisites

Encrypting secrets for Travis CI

Travis CI CLI

The travis gem makes working with your .travis.yml easy.

To create a .travis.yml file:

travis init

To create an entry for an encrypted environment variable:

travis encrypt MY_ENV_VAR=SOME_VALUE --add --override

tip: add updates your .travis.yml and override removes all entries

Encrypting AWS environment variables

I like to pull the AWS variables from my environment:

travis encrypt AWS_ACCESS_KEY=$AWS_ACCESS_KEY --add
travis encrypt AWS_SECRET_KEY=$AWS_SECRET_KEY --add
travis encrypt AWS_SSH_KEY=$AWS_SSH_KEY --add
travis encrypt AWS_SSH_KEY_ID=$AWS_SSH_KEY_ID --add

To encrypt a PEM file create first create a symmetric key:

export TRAVIS_CI_SECRET=`cat /dev/urandom | head -c 10000 | openssl sha1`

Now the encryption piece:

openssl aes-256-cbc -pass "pass:$TRAVIS_CI_SECRET" -in ~/.ssh/travisci-aws.pem -out ./.secret -a

Add the secret to your .travis.yml file:

travis encrypt TRAVIS_CI_SECRET=$TRAVIS_CI_SECRET --add

On the Travis CI side to decrypt the file add this to your .travis.yml:

before_script:
- openssl aes-256-cbc -pass "pass:$TRAVIS_CI_SECRET" -in ./.secret -out ./travisci-aws.pem -d -a

BOOM! Your AWS secrets and PEM file are available to you in your Travis CI build run.

References

AWS Credentials and Travis-CI was published on (revised: ) jono wells