Offline package drop sensitive data


#1

Hi,

we are developing an application and use Octopus Deploy for internal environments. Our IT department manages the domain user and their passwords and the development team don’t know the passwords so they are configured as sensitive data in our Octopus project variables. Because the deployment process is complex we would like to offer our customers offline package drop for their deployments.

The problem is, that the deployment target for the offline package drop can’t execute when the project has sensitive data although the resulting properties for the offline package drop doesn’t use variables wich are configred as sensitive data. Neither can we give our customers access to Octopus to add their passwords as sensitive data.

Do you have any suggestions to solve this problem?


(Jim Burger) #2

Hi @martin.lindner

Thanks for reaching out to us regarding offline package drops!

If I understand you correctly, you would like a way for consumers of the offline drop scripts to be prompted enter their passwords at installation time?

Unfortunately, prompted variables must be entered at the time of the deployment, so there is no way around this right now. We do have an open suggestion on uservoice that you might like to throw some support behind this feature.

As an alternative, building a dedicated installation package for your customers that collects this information may work for you. For example, we use the Wix toolset to do this for our tentacle and Octopus server installers, although I believe this only works for windows environments.

Hope this helps,


#3

Thanks for the reply.

Would there also be a way to get a non encrypted variables file in this situation?
Because the variables configuration for this deployment target doesn’t contain sensitive.


(Jim Burger) #4

Hi @martin.lindner

I’m not sure if this solves your dilemma or not, but it is possible.

I just checked on 2018.9.17, I assume things haven’t changed in this area for some time. If you configure an offline drop target without an encryption password, and the project being deployed doesn’t reference any sensitive variables, then the zip file generated will contain a plaintext .json file of variables (located in the Variables folder), that will contain any non-sensitive project variables in it.

In addition, it looks as though (as at version 2018.9.17) if your project gets updated to start using sensitive variables, an error at deployment time is shown.

Kind regards,


#5

One question more.

Do I have to have an own Deployment target for this offline package drop? Currently we have one Deployment target with 2 environments configured. One environment für die Offline Package drop and one for the QA environment.

Kind regards,


(Jim Burger) #6

Hi @martin.lindner,

Forgive me if I haven’t fully understood the question, but an offline package drop is always a type of Deployment Target.

A deployment target can participate in any number of environments, so it can in both its own environment and the QA environment, if required.

Hope this helps,