Document env vars security #2534
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tito-villalobos
suggested changes
Jul 27, 2018
jekyll/_cci2/security.md
Outdated
| @@ -18,7 +18,7 @@ Security is our top priority at CircleCI, we are proactive and we act on securit | |||
| ## Encryption | |||
| CircleCI uses HTTPS or SSH for all networking in and out of our service including from the browser to our services application, from the services application to your builder fleet, from our builder fleet to your source control system, and all other points of communication. In short, none of your code or data travels to or from CircleCI without being encrypted unless you have code in your builds that does so at your discretion. Operators may also choose to go around our SSL configuration or not use TLS for communicating with underlying systems. | |||
|
|
|||
| The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or on-demand VM container) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build container pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete the container that ran the job is destroyed and rebuilt. All environment variables you store inside CircleCI are encrypted at rest and sent to your job's containers using SSH. | |||
| The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or on-demand VM container) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build container pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete the container that ran the job is destroyed and rebuilt. All environment variables are stored using [Hashicorp Vault](https://www.vaultproject.io/). Environment variables are encrypted using AES256-GCM96 and are unavailable to CircleCI employees. | |||
There was a problem hiding this comment.
s/stored/encrypted/
Single word change but important for accuracy.
Detailed explanation for internal understanding:
Vault does secrets management in a number of different ways. It can store secrets directly, be an encryption service, integrate with aws security features, generate one-time-passwords, etc. We are looking to leverage different features of Vault for different CCI features.
For user environment variables, we use the Vault encryption service (they call it the "transit secret store"). It's technically possible to "store customer environment variables in vault", but we chose this approach because Postgres is better at scaling for large volumes of data.
Thus, we "encrypt environment variables using vault" and store the resulting ciphertext in postgres.
There was a problem hiding this comment.
@tito-villalobos Is that Postgres database in GPC or AWS?
There was a problem hiding this comment.
All of our production data stores are in AWS.
|
LGTM |
endocrimes
suggested changes
Jul 29, 2018
jekyll/_cci2/security.md
Outdated
| @@ -18,7 +18,7 @@ Security is our top priority at CircleCI, we are proactive and we act on securit | |||
| ## Encryption | |||
| CircleCI uses HTTPS or SSH for all networking in and out of our service including from the browser to our services application, from the services application to your builder fleet, from our builder fleet to your source control system, and all other points of communication. In short, none of your code or data travels to or from CircleCI without being encrypted unless you have code in your builds that does so at your discretion. Operators may also choose to go around our SSL configuration or not use TLS for communicating with underlying systems. | |||
|
|
|||
| The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or on-demand VM container) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build container pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete the container that ran the job is destroyed and rebuilt. All environment variables you store inside CircleCI are encrypted at rest and sent to your job's containers using SSH. | |||
| The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or on-demand VM container) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build container pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete the container that ran the job is destroyed and rebuilt. All environment variables are stored using [Hashicorp Vault](https://www.vaultproject.io/). Environment variables are encrypted using AES256-GCM96 and are unavailable to CircleCI employees. | |||
There was a problem hiding this comment.
"or on-demand VM container" should be "or an ephemeral VM". Virtual machines are not containers.
jekyll/_cci2/security.md
Outdated
| @@ -18,7 +18,7 @@ Security is our top priority at CircleCI, we are proactive and we act on securit | |||
| ## Encryption | |||
| CircleCI uses HTTPS or SSH for all networking in and out of our service including from the browser to our services application, from the services application to your builder fleet, from our builder fleet to your source control system, and all other points of communication. In short, none of your code or data travels to or from CircleCI without being encrypted unless you have code in your builds that does so at your discretion. Operators may also choose to go around our SSL configuration or not use TLS for communicating with underlying systems. | |||
|
|
|||
| The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or on-demand VM container) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build container pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete the container that ran the job is destroyed and rebuilt. All environment variables you store inside CircleCI are encrypted at rest and sent to your job's containers using SSH. | |||
| The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or on-demand VM container) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build container pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete the container that ran the job is destroyed and rebuilt. All environment variables are stored using [Hashicorp Vault](https://www.vaultproject.io/). Environment variables are encrypted using AES256-GCM96 and are unavailable to CircleCI employees. | |||
There was a problem hiding this comment.
"The build container pulls code via git over SSH." should be "The build agent pulls code via git over SSH."
jekyll/_cci2/security.md
Outdated
| @@ -18,7 +18,7 @@ Security is our top priority at CircleCI, we are proactive and we act on securit | |||
| ## Encryption | |||
| CircleCI uses HTTPS or SSH for all networking in and out of our service including from the browser to our services application, from the services application to your builder fleet, from our builder fleet to your source control system, and all other points of communication. In short, none of your code or data travels to or from CircleCI without being encrypted unless you have code in your builds that does so at your discretion. Operators may also choose to go around our SSL configuration or not use TLS for communicating with underlying systems. | |||
|
|
|||
| The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or on-demand VM container) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build container pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete the container that ran the job is destroyed and rebuilt. All environment variables you store inside CircleCI are encrypted at rest and sent to your job's containers using SSH. | |||
| The nature of CircleCI is that our software has access to your code and whatever data that code interacts with. All jobs on CircleCI run in a sandbox (specifically, a Docker container or on-demand VM container) that stands alone from all other builds and is not accessible from the Internet or from your own network. The build container pulls code via git over SSH. Your particular test suite or job configurations may call out to external services or integration points within your network, and the response from such calls will be pulled into your jobs and used by your code at your discretion. After a job is complete the container that ran the job is destroyed and rebuilt. All environment variables are stored using [Hashicorp Vault](https://www.vaultproject.io/). Environment variables are encrypted using AES256-GCM96 and are unavailable to CircleCI employees. | |||
There was a problem hiding this comment.
All of our production data stores are in AWS.
tito-villalobos
approved these changes
Jul 30, 2018
jekyll/_cci2/env-vars.md
Outdated
| @@ -42,6 +42,8 @@ Do not add secrets or keys inside the `.circleci/config.yml` file. | |||
| The full text of `config.yml` is visible | |||
| to developers with access to your project on CircleCI. | |||
| Store secrets or keys in [project](#setting-an-environment-variable-in-a-project) or [context]({{ site.baseurl }}/2.0/contexts/) settings in the CircleCI app. | |||
| For more information, | |||
| see the ["Encryption" section]({{ site.baseurl }}/2.0/security/#encryption) of the "Security" document. | |||
There was a problem hiding this comment.
Remove quotes on Encryption
endocrimes
approved these changes
Jul 31, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds information about environment variable security to the Security document.
Reasons
In #2496, a user requested more information about how environment variables are secured.
Context
Fixes #2496 and resolves this JIRA issue.