/GradleFileEncrypt

Simply encrypt your sensitive data in repository with password

Primary LanguageKotlinApache License 2.0Apache-2.0

File encryption plugin for Gradle

Build Status Version

Simply encrypt files of a Gradle project with a password. The plugin will create an encrypted copy of the file with .encrypted extension. For example: secret_keys.properties -> secret_keys.properties.encrypted. Add secret_keys.properties to .gitignore and add secret_keys.properties.encrypted to VCS.

Add it to your project

Gradle plugin DSL

plugins {
    id 'com.cherryperry.gradle-file-encrypt' version '2.0.3'
}

Old Gradle version or where dynamic configuration is required

buildscript {
    repositories {
        maven { url 'https://plugins.gradle.org/m2/' }
    }
    dependencies {
        classpath 'gradle.plugin.com.cherryperry.gfe:gradle-file-encrypt:2.0.3'
    }
}

apply plugin: 'com.cherryperry.gradle-file-encrypt'

Password setup

Set password gfe.password in local.properties file in project root or GFE_PASSWORD environment variable or -DGFE_PASSWORD Gradle system property.

You can create your own password provider via passwordProvider.

Configuration

gradleFileEncrypt {
    // files to encrypt
    plainFiles.from('signing.properties', 'app/google-services.json')
    // (optional) setup file mapping
    mapping = [ 'signing.properties' : 'secret/signing.properties' ]
    // (optional) setup password provider
    // if provided one is not secure enough for you
    passwordProvider = { return 'YOUR LOGIC HERE'.toCharArray() }
}

File mapping

Sometimes you need to save your encrypted files in another directory. You can configure that behavior with mapping configuration. It is simple Map<Object, Object>, where key is original file and value is target file without encrypted extension.

gradleFileEncrypt {
    plainFiles.from('src/main/resources/secure.properties')
    mapping = [ 'src/main/resources/secure.properties' : 'secure/keys' ]
}

Encrypted file secure.properties.encrypted will be bundled with app without mapping, because it is inside the resources folder. To avoid this behavior mapping was provided, so secure/keys.encrypted file will be an encrypted version of src/main/resources/secure.properties.

Encryption and decryption

You must setup password before invoking these tasks.

Create encrypted files from plain files:

./gradlew encryptFiles

Create plain files from encrypted files (if files already exist, they will be overwritten):

./gradlew decryptFiles

Git ignore check

You can check, if your plain unencrypted files are ignored by your .gitignore files in project, so they won't appear in version control history.

./gradlew checkFilesGitIgnored

If any is not ignored, the task will fail and print which file is not ignored.

Gradle

Minimal recommended gradle version is 6.8.3. Check supported versions here.

Samples

You can also see sample usage in my other projects:

  1. CherryPerry/Amiami-kotlin-backend
  2. CherryPerry/Amiami-android-app

Both projects are connected to Travis CI service. Encryption password was set in settings tab of each repository. ./gradlew decryptFiles command was added to pre-build script, so all files, that contains private settings required for build, are decrypted before build. Not encrypted files were added to .gitignore, so there are no decrypted versions of them in the repository, only encrypted ones. For local development I add password to local.properties file.