Encrypt API keys for open source projects?

Now my API keys are encrypted with AES256 and get decrypted in the code pipeline for a new release for every change to the repo.

But if my project were open source then what will prevent an incoming PR which triggers the code pipeline to print the decrypted files in clear text?

If I assume that the project is open source and we did encrypt the API keys. Then an incoming PR could still trigger the Travis pipeline and could output the keys in clear text like this

- openssl aes-256-cbc -K $encrypted_42b9fd1_key -iv $encrypted_42b9fd1_iv -in secrets.tar.enc -out secrets.tar -d
- tar xvf secrets.tar
- cat api-key.json

How to prevent such a scenario ? or did I misunderstand ?

Nothing. That’s why you can place keys into encrypted variables (in either .travis.yml or Travis settings) which are not accessible to PR builds.

1 Like

Please read