Encrypting secrets for the REST API
In order to create or update a secret with the REST API, you must encrypt the value of the secret.
In this article
About encrypting secrets
Several REST API endpoints let you create secrets on GitHub. To use these endpoints, you must encrypt the secret value using libsodium. For more information, see thelibsodium documentation.
In order to encrypt a secret, you need a Base64 encoded public key. You can get a public key from the REST API. To determine which endpoint to use to get the public key, look at the documentation for theencrypted_value parameter in the endpoint that you will use to create a secret .
Example encrypting a secret using Node.js
If you are using Node.js, you can encrypt your secret using the libsodium-wrappers library. For more information, seelibsodium-wrappers.
In the following example, replaceYOUR_SECRET with the plain text value that you want to encrypt. ReplaceYOUR_BASE64_KEY with your Base64 encoded public key. The documentation for the endpoint that you will use to create a secret will tell you which endpoint you can use to get the public key.ORIGINAL is not a placeholder; it is a parameter for the libsodium-wrappers library.
const sodium = require('libsodium-wrappers')const secret = 'YOUR_SECRET'const key = 'YOUR_BASE64_KEY'//Check if libsodium is ready and then proceed.sodium.ready.then(() => { // Convert the secret and key to a Uint8Array. let binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL) let binsec = sodium.from_string(secret) // Encrypt the secret using libsodium let encBytes = sodium.crypto_box_seal(binsec, binkey) // Convert the encrypted Uint8Array to Base64 let output = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL) // Print the output console.log(output)});const sodium =require('libsodium-wrappers')const secret ='YOUR_SECRET'const key ='YOUR_BASE64_KEY'//Check if libsodium is ready and then proceed.sodium.ready.then(() => {// Convert the secret and key to a Uint8Array.let binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL)let binsec = sodium.from_string(secret)// Encrypt the secret using libsodiumlet encBytes = sodium.crypto_box_seal(binsec, binkey)// Convert the encrypted Uint8Array to Base64let output = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL)// Print the outputconsole.log(output)});Example encrypting a secret using Python
If you are using Python 3, you can encrypt your secret using the PyNaCl library. For more information, seePyNaCl.
In the following example, replaceYOUR_SECRET with the plain text value that you want to encrypt. ReplaceYOUR_BASE64_KEY with your Base64 encoded public key. The documentation for the endpoint that you will use to create a secret will tell you which endpoint you can use to get the public key.
from base64 import b64encodefrom nacl import encoding, publicdef encrypt(public_key: str, secret_value: str) -> str: """Encrypt a Unicode string using the public key.""" public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder()) sealed_box = public.SealedBox(public_key) encrypted = sealed_box.encrypt(secret_value.encode("utf-8")) return b64encode(encrypted).decode("utf-8")encrypt("YOUR_BASE64_KEY", "YOUR_SECRET")from base64import b64encodefrom naclimport encoding, publicdefencrypt(public_key:str, secret_value:str) ->str:"""Encrypt a Unicode string using the public key.""" public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder()) sealed_box = public.SealedBox(public_key) encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))return b64encode(encrypted).decode("utf-8")encrypt("YOUR_BASE64_KEY","YOUR_SECRET")Example encrypting a secret using C#
If you are using C#, you can encrypt your secret using the Sodium.Core package. For more information, seeSodium.Core.
In the following example, replaceYOUR_SECRET with the plain text value that you want to encrypt. ReplaceYOUR_BASE64_KEY with your Base64 encoded public key. The documentation for the endpoint that you will use to create a secret will tell you which endpoint you can use to get the public key.
var secretValue = System.Text.Encoding.UTF8.GetBytes("YOUR_SECRET");var publicKey = Convert.FromBase64String("YOUR_BASE64_KEY");var sealedPublicKeyBox = Sodium.SealedPublicKeyBox.Create(secretValue, publicKey);Console.WriteLine(Convert.ToBase64String(sealedPublicKeyBox));var secretValue = System.Text.Encoding.UTF8.GetBytes("YOUR_SECRET");var publicKey = Convert.FromBase64String("YOUR_BASE64_KEY");var sealedPublicKeyBox = Sodium.SealedPublicKeyBox.Create(secretValue, publicKey);Console.WriteLine(Convert.ToBase64String(sealedPublicKeyBox));Example encrypting a secret using Ruby
If you are using Ruby, you can encrypt your secret using the RbNaCl gem. For more information, seeRbNaCl.
In the following example, replaceYOUR_SECRET with the plain text value that you want to encrypt. ReplaceYOUR_BASE64_KEY with your Base64 encoded public key. The documentation for the endpoint that you will use to create a secret will tell you which endpoint you can use to get the public key.
require "rbnacl"require "base64"key = Base64.decode64("YOUR_BASE64_KEY")public_key = RbNaCl::PublicKey.new(key)box = RbNaCl::Boxes::Sealed.from_public_key(public_key)encrypted_secret = box.encrypt("YOUR_SECRET")# Print the base64 encoded secretputs Base64.strict_encode64(encrypted_secret)require"rbnacl"require"base64"key =Base64.decode64("YOUR_BASE64_KEY")public_key =RbNaCl::PublicKey.new(key)box =RbNaCl::Boxes::Sealed.from_public_key(public_key)encrypted_secret = box.encrypt("YOUR_SECRET")# Print the base64 encoded secretputsBase64.strict_encode64(encrypted_secret)