Build Secrets

TLDR; Use SpiderOak’s One Backup sync feature for build secrets.

Build secrets are a pain. You should never keep them in git but you want them available anytime you want to build a repo. Services like Dropbox, iCloud, Google Drive would be a convenient way to keep them but as can be seen by how many celebrities have had nudes leaked from those services that doesn’t seem to be a better choice than git. Until recently I have been keeping my build secrets synced via a NAS. That also presented issues, I would find that I forgot to pull an updated secrets file at the worst possible time, such as at a customer’s site when I needed to deploy an emergency fix. I would loose time as I created a new secrets file to replace the forgotten one and 20mins later I was finally able to build.

I finally found a more secure solution to the Dropbox style of services without sacrificing convenience. I started using the sync feature of SpiderOak’s One Backup https://spideroak.com/one/. I setup a BuildFiles directory and set it to sync across all of my development machines. Then my build script will pull the files it needs to connect to the services it needs such as bitbucket, code commit or AWS ECR from that directory. I know that the directory on any of my machines are alway updated because SpiderOak is taking care of it. I just drop the secrets into that directory and SpiderOak takes care of the rest.

Build pipelines such as jenkins or codebuild have solved the problem of keeping secrets available and secure via secure storage, but there has been a lack of solutions for doing this for on demand builds locally. SpiderOak’s One Backup solves the secrets problem securely, conveniently and at a reasonable price.