Hi
I use the “Offline Package Drop” a lot here due to a few of our clients not wanting our tentacles communicating with their prod servers, but I’m having an issue when using a sensitive variable in the project where the package is created, even though the sensitive variables are not scoped at all to this offline deployment.
Is there some magic Octopus variable I can set to ensure the offline deployment works correctly and does not ask for a password??
Looking through the project, there is only one single sensitive variable and it’s scoped to a clients production site who do let us through, but yet all the variables JSON files are all being output as .secrets file
If there isn’t a way to get the offline package drop working correctly with having sensitive variables in a non-related placed in the project, what/whom’s password is this prompt possibly wanting?
Regards
Gavin
Another slightly worrying thing is we deploy the package to three different places depending on role (Web/SQL/App) - the sensitive variable is scoped to App for a local environment, but the Web offline deployment is the only one with these .secret variables.
Does that bug still exist where setting a password to sensitive and then changing it back doesn’t remove the “sensitive” mark in the DB, as that’s all I can think is happening here?
Ahh I see what’s happened, it’s the password in the Offline Package Drop Deployment Target - I expected that to only apply if there were sensitive variables in place, so I’ve just removed the password from the target instead (maybe unsafe??)
Hi Gavin,
Thanks for getting in touch,
I’m sorry to hear you experienced this issue, I understand this can be frustrating.
I’m glad to see, however, you were able to identify the root cause of this.
As a security measure, any sensitive variables are written to a separate file which is then encrypted. To perform the encryption\decryption, a password is required. If your project does not contain any sensitive-variables, this field may be left un-set.
If a project is deployed to an offline package drop target which does not have an encryption password set, the deployment will fail with an indicative error.
If you require any assistance moving forward, please let me know 
Kind Regards,
Reece
HI Reece
I am now trying to deploy another project to the same offline package drop and it is giving this message:
This project contains sensitive-variables, but your offline-drop target does not have an encryption password set. Please set the encryption password on your offline-drop target and try this deployment again.
The problem, however, is there is not a single sensitive password scoped to the environment I’m dropping the packages to so there is nothing sensitive to mask, it seems the logic for checking if sensitive variables are present is not working as it should?
Also, both projects have sensitive passwords in their variable list but yet one project happily deploys to this offline package drop whilst the other complains about sensitive variables…
Regards
Gavin
Hi Gavin,
Thanks for getting back to me,
I had another customer report an issue receiving this same error when no sensitive variables existed.
In their scenario, they did, however, have a password within a deploy package step that was considered a sensitive variable and an encryption password was required to proceed to the offline target.
In your scenario, do you have something similar in the affected project?
I’ve had a chat with the team regarding this as well, I’m going to create a Github issue that will provide more specific logging when encountering this error. (I’ll link this here after hearing back from you as to whether this was the problem or not)
I look forward to hearing back from you 
Kind Regards,
Reece
Hi Reece
Thanks for the pointer - I’ve checked my process and there is indeed like you said the password field!
The password field does just point to a variable though, so it really doesn’t need to be sensitive on that process page. We had a service deployment which was the same thing, except that was showing the #{ServicePassword} variable instead of ****, so I’ve gone back and amended the Web process to use Custom Expression so it now shows #{WebPass} instead of **** - I didn’t realise it still made it sensitive if you didn’t chose Custom Expression, even though it was still resolving the unsensitive passwords for our offline deployment (if that makes sense)
I’ve now removed the offline package drop passwords (we drop to 3 places dependant on App, SQL, Web role) and recreated the release and it now runs fine, without needing password!
Thanks very much for that tip!
Regards
Gavin
Hi Gavin,
Thanks for getting back to me,
I greatly appreciate you letting me the outcome of this, it really helps out!
As previously mentioned, I’ll create a Github issue for this to include a more specific error message.
I’ll update this this ticket with this link as soon as possible.
If you require any further assistance in the interim, please let me know
Have a great day!
Kind Regards,
Reece
