Cloud Platform

Encrypting keys and variables

A build definition file may need to include sensitive information, such as SSH keys or passwords that are needed to access private resources, but you do not want to include these in plain text in your build definition file. You can encrypt this sensitive information, and then use the encrypted value in a secure element in the build definition file.

Encrypting your information

You can use either the Cloud Platform interface or the command line to encrypt your variables and keys that are to be stored with your codebase. Follow the procedures based on your selected method:

  • Using the Cloud Platform interface

    1. Sign in to the Cloud Platform user interface.

    2. Select the application that you want to use.

    3. In the left menu, click Pipelines.

    4. Click More Links.

    5. Click Encrypt Credentials.

    6. To encrypt an environment variable, click Environment Variable, and type the name of your variable and its value into the fields provided.

    7. To encrypt an SSH key, click SSH Keys, and then use one of the following methods to provide the contents of your key:

      • Drag your key into the box to copy its contents; the field will turn blue to indicate when you’ve dragged it to the correct place.

      • Copy and paste the contents of your key into the field.

    8. Click Encrypt. The encrypted version of your information will appear in the box to the right.

    9. Click the Copy icon to copy the encrypted information to your clipboard.

    10. Click Close.

  • Using the command line

    To encrypt an SSH private key, execute the following command, replacing [~/.ssh/id_rsa] with the actual path to the SSH private key you want to encrypt:

    cat [~/.ssh/id_rsa] | pipelines encrypt -

    To encrypt arbitrary text (such as a password), use the following command, replacing my password (but not the enclosing quotation marks) with your text:

    echo "my password" | pipelines encrypt -


    Additional command-line encryption examples are available in the 301 tutorial - Accessing private repositories example on GitHub.

You are now ready to add your encrypted information to your code repository.

Placing encrypted information in your codebase

Regardless of what encrypted information you are adding to your codebase, after adding the information, be sure to commit your changes to your code repository.

Encrypted SSH keys should be stored in the ssh-keys element of your acquia-pipelines.yaml file with a name of your choosing. For example:

    secure: 2acIshWAndTh1sG0esOn . . .

The decrypted SSH private key will then be available during your build.


The default format of SSH keys generated by OpenSSH version 7.8 or later is incompatible with Pipelines. For more information, see this known issue.

Encrypted variables should be stored in the variables element of your acquia-pipelines.yaml file with a variable name of your choosing. For example:

        secure: 2acqDl…

The decrypted value will be available as an environment variable during your build.


For more information about the acquia-pipelines.yaml file, see Creating and managing your build definition file. For more information about default environment variables available to you, see Default environment variables in Pipelines. Example build definition files are available at Example Pipelines build definition files.