July 6, 2017 Recover Lost TravisCI Variables – Two ways

Introduction

Travis CI is a wildly popular continuous integration service which integrates with software projects hosted at Github. They offer a feature that allows you to keep encrypted variables for use during the build process in your project’s .travis.yml (the Travis CI config file).There may come a time when you need to recover your own encrypted variables from Travis CI. I’m explicitly not talking about “stealing” information, or gaining access to anyone else’s environment variables (or the security advisory from 2016). This article is about retrieving your own lost variables. Maybe you inherited an old project and the person who set things up is no longer there, or maybe you just kept bad notes 😉

Why is it hard?

Despite the fact that you have access to project in Travis and can look at the build output, you can not see the encrypted variables. The Travis engine replaces them with “secret” wherever they would be displayed on the screen. My initial simple attempts at retrieving my lost variables was to add custom steps to the build to echo them to a file, and then cat that file (to the display / build output). No dice, Travis catched that also (and replaces it again with “secret”). This leads me to believe that it simply looks for any potential output of this data and does the replacement.

So what can you do?

Two fairly simple methods can get you your data and I’ll describe both below. In both cases you’ll need both access to create a new temporary branch on the repo and the ability to see the Travis build output.
To set up the temporary branch, simplete branch from your latest commit. Make sure to use a name for your new branch that is not in any of your deploy clauses. This will make sure you don’t actually deploy anything when you push your branch (we’re just after the console output here, we don’t need to actually do a deployment).

Method 1 – Send a File Offsite

In this method we’ll update the .travis.yml in your new branch with a few new commands to create an encrypted file with the information you need and store it externally so you can retrieve it. We’ll try to retrieve the encrypted key “QA_AWS_KEY”.

1. Update the “sudo:” line in your .travis.yml and set it to “required”. This is needed so that we can install a couple of additional packages.
2. Create a new encrypted variable to serve as an encryption key so that you’re not sending your data offsite in the clear. In this example we’ll call this new variable “ENC_KEY”.
3. At the top of the “install:” section of the config file add the following:

       - sudo apt-get install -y ccrypt
       - echo QA_AWS_KEY = $QA_AWS_KEY > info.txt
       - ccencrypt info.txt -K $ENC_KEY
       - curl --upload-file info.txt.cpt https://transfer.sh/info.txt.cpt
       

   In short, what we’re doing here is echoing the key into a file (info.txt), encrypting that file, and finally sending the file to transfer.sh (a free service for transferring small files easily).

4. Commit your changes and push your new branch.
5. Monitor the build log on the travis website and once the file upload is complete, you can view the download link in the “raw log” view.
6. In you local terminal, download and decrypt the file.

Method 2 – Uuencrypt the Data

1. As with method 1, update the “sudo:” line in your .travis.yml and set it to “required”.
2. At the top of the “install:” section of the config file add the following:

       - sudo apt-get install -y ccrypt
       - sudo apt-get install -y sharutils
       - echo QA_AWS_KEY = $QA_AWS_KEY > info.txt
       - ccencrypt info.txt -K $ENC_KEY
       - uuencode -m info.txt.cpt info.txt.cpt
       

   In this case we’re producing a terminal visible, ascii encoded version of the (encrypted) file.

3. Commit your changes and push your new branch.
4. Monitor the build log on the travis website and once the file is uuencoded, view the raw log for the output then copy this and save it to a file on your local machine.
5. Now run “uudecode info.txt.cpt” on your local file and finally decrypt it.

Summary

These two approaches can save you from the need to replace a lost key in certain circumstances. It’s not perfect – for example, you must know the name of the encrypted variable you are trying to retrieve (however you can usually determine this by looking at the rest of the .travis.yml file). Furthermore in many cases maybe you should be changing the key. But if the need arises, I hope these tips can serve someone else.