Encrypted configuration files and custom installation folder

afaure · 12 May 2017 04:21

Hello,

I am setting up octopus deploy for a project where I am using:

octopus variables to store e.g.: the connection string, which I flag as sensitive
octopus substitution features to update web.config file on the fly during deployment

At this point : I have a web.config file with the correct connection string in clear text

Use Deploy.ps1 script to encrypt the connection string section (using the same principles as in the step template : https://library.octopusdeploy.com/step-templates/c79b5e6b-88ac-47d5-8678-99e8ab2a1cd9/actiontemplate-configuration-encrypt-app-or-web-config-section)

Now I am setting a custom installation folder in the deployment step (let us call it $CustomWebInstallDirectory)

At this stage I have:

my deployed application in $CustomWebInstallDirectory with encrypted connection string in the web.config file.
a copy of the whole application in the octopus workspace files (the area where the tentacle first deploys the package, before copying to $CustomWebInstallDirectory). Here the web.config is still in clear text

The solution I have found is to:

capture the location current folder in in PreDeploy.ps1 : at this point. the package has not been copied to $CustomWebInstallDirectory yet, so current directory is the location where the tentacle script.
In Deploy.ps1 : use the captured value to delete the web.config file from the captured folder

(In addition, should the encryption of any config file fail, I also delete them from $CustomWebInstallDirectory so that no clear text copy remain visible on the server)

So my question is: is there a way to do all this better ?

And a suggestion: in case nothing better exists today, perhaps encryption could be supported by Octopus natively ? This would have the following advantages:

The end user does not need to ‘track’ all possible copied of the application on the server
Encryption might be handled directly on the octopus server (on the fly)
- Generate a key on the fly
- Encrypt
- Push the key and the (along the line of aspnet_regiis.exe -pc <container name> and aspnet_regiis.exe -pa <container name> <application user>) along with the encrypted copy
- Octopus server forgets the key

This way the target server never sees the clear text values

Thanks and regards,
Antoine

Pawel_Pabich · 15 May 2017 01:45

Hi,

Thanks for getting in touch! At the moment the solution you’ve come up with is the way to do it in Octopus. And I agree that it is not a simple process.

If you believe this is something we should offer as an out of the box feature then please provide your feedback here.

Please let me know if this doesn’t solve your problem.

Regards,

Pawel