Skip to content
← Product Feedback

What problem could Octopus Deploy solve for you?

Product Feedback

Categories

(thinking…)

View sensitive variables w/ corresponding permissions

This is a highly debated idea. Should you be able to view sensitive variables through the UI to see their value if you have the right permissions set?

Currently the team at Octopus is very opinionated against this idea, but we would like to hear from the community about it (as we have had requests). Vote if you want it, comment if you don't.

Source: http://help.octopusdeploy.com/discussions/questions/4995

9 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Vanessa Love shared this idea  ·   ·  Report…  ·  Admin →

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Swint De Coninck commented  ·   ·  Report

    The issue we have with this feature, is that variables which don't have to be masked (not a password/username/Ip address/...) are still masked in the logging of tasks run in octopus.

    Maybe a solution would be to add configuration on a per script basis, that makes it possible to turn this feature of for a certain script.

    Or maybe provide a command that could be used in scripts to log certain variables without any masking of sensitive data.

    Right now, it is not very helpful.

  • Anton Smolkov commented  ·   ·  Report

    mimicked Ronnie Overby's function in PowerShell

    function DecodeSensitive ($EncodedValue, $MasterKey) {
    $Cipher = [Convert]::FromBase64String($EncodedValue.Split('|')[0])
    $Salt = [Convert]::FromBase64String($EncodedValue.Split('|')[1])
    $Key = [Convert]::FromBase64String($MasterKey)

    # Create AesCryptoServiceProvider, put key and salt to it, extract decryptor
    [System.Security.Cryptography.AesCryptoServiceProvider]$Algorithm = [System.Security.Cryptography.AesCryptoServiceProvider]::new()
    $Algorithm.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
    $Algorithm.KeySize = 128
    $Algorithm.Key = $Key
    $Algorithm.BlockSize = 128
    $Algorithm.Mode = [System.Security.Cryptography.CipherMode]::CBC
    $Algorithm.IV = $Salt
    $Decryptor = $Algorithm.CreateDecryptor()

    # New memory stream, decoded value will be putten in there
    $MemoryStream = [IO.MemoryStream]::new()

    # Create new CryptoStream from MemoryStream, put encoded value(cipher) and decryptor in there, exctract decrypted value.
    $CryptoStream = [Security.Cryptography.CryptoStream]::new($MemoryStream, $Decryptor, 'Write')
    $CryptoStream.Write($Cipher, 0, $Cipher.Length);
    try {
    $CryptoStream.FlushFinalBlock()
    }
    catch {Write-Error "Can't decode value. Probably the master-key is wrong."}

    $DecryptedValue = [System.Text.UTF8Encoding]::UTF8.GetString($MemoryStream.ToArray())

    #Clean up the memory
    $MemoryStream.Close()
    $CryptoStream.Close()
    $Decryptor.Dispose()
    $Algorithm.Clear()

    return $DecryptedValue
    }

    I also have made script wich can decrypt and replace any variable in octopus.
    See examples of usage in the script's body. Please dont forget to make database backup/snapshot before run.

    https://github.com/AnSmol/HandyPoshScripts/blob/master/DevOps/OctoVarUnsensitifier.ps1

  • Kevin Warnke commented  ·   ·  Report

    I like that the values are kept hidden. Perhaps offering a "validate" action where the user inputs what they believe the value should be and the Octopus simply returns a "yes, that matches" or "no, it does not match". That should satisfy the requests around wanting to "make sure it's correct" without exposing the value via the UI.