Hello,
I am setting up octopus deploy for a project where I am using:
- octopus variables to store e.g.: the connection string, which I flag as sensitive
- octopus substitution features to update web.config file on the fly during deployment
At this point : I have a web.config file with the correct connection string in clear text
- Use
Deploy.ps1
script to encrypt the connection string section (using the same principles as in the step template : https://library.octopusdeploy.com/step-templates/c79b5e6b-88ac-47d5-8678-99e8ab2a1cd9/actiontemplate-configuration-encrypt-app-or-web-config-section)
Now I am setting a custom installation folder in the deployment step (let us call it $CustomWebInstallDirectory
)
At this stage I have:
- my deployed application in
$CustomWebInstallDirectory
with encrypted connection string in the web.config file. - a copy of the whole application in the octopus workspace files (the area where the tentacle first deploys the package, before copying to
$CustomWebInstallDirectory
). Here theweb.config
is still in clear text
The solution I have found is to:
- capture the location current folder in in
PreDeploy.ps1
: at this point. the package has not been copied to$CustomWebInstallDirectory
yet, so current directory is the location where the tentacle script. -
In Deploy.ps1
: use the captured value to delete the web.config file from the captured folder
(In addition, should the encryption of any config file fail, I also delete them from $CustomWebInstallDirectory
so that no clear text copy remain visible on the server)
So my question is: is there a way to do all this better ?
And a suggestion: in case nothing better exists today, perhaps encryption could be supported by Octopus natively ? This would have the following advantages:
- The end user does not need to ‘track’ all possible copied of the application on the server
- Encryption might be handled directly on the octopus server (on the fly)
- Generate a key on the fly
- Encrypt
- Push the key and the (along the line of
aspnet_regiis.exe -pc <container name>
andaspnet_regiis.exe -pa <container name> <application user>
) along with the encrypted copy - Octopus server forgets the key
This way the target server never sees the clear text values
Thanks and regards,
Antoine