Implement Azure DevOps secure files

  • 3 minutes

Azure DevOps secure files implement encrypted storage infrastructure for sensitive file assets including code signing certificates, SSH keys, and third-party provisioning profiles within Azure DevOps organizational boundaries. Files receive at-rest encryption utilizing 2048-bit RSA keys with Azure DevOps protected resource designation restricting access to authorized users and pipelines exclusively. Encryption keys persist within Azure Key Vault infrastructure managed internally by Azure DevOps platform operations.

Secure files integration with Azure DevOps CI/CD workflows enables direct sensitive file consumption within pipeline execution contexts. Access control mechanisms within Azure DevOps support fine-grained permission management governing secure file upload, download, and pipeline utilization capabilities.

Implementation

Secure file implementation encompasses sensitive file upload to Azure DevOps followed by pipeline or release definition referencing.

Secure file upload workflow:

  1. Navigate to Azure DevOps project within web portal interface.
  2. Select Pipelines or Releases tab aligned with intended secure file utilization context.
  3. Access Library from left-side navigational menu.
  4. Select Secure files followed by + Secure file initiating upload workflow.
  5. Select target file and assign descriptive identifier.

Pipeline permission grant workflow:

  1. Select newly provisioned secure file.
  2. Navigate Pipeline permissions from secure file properties toolbar.
  3. Select Add pipeline (+) button within Configure secure file pane.
  4. Select authorized pipeline(s) from current project pipeline inventory granting secure file access.

YAML pipeline secure file reference implementation:

Secure file consumption within YAML pipelines utilizes DownloadSecureFile@1 task. The following example demonstrates certificate secure file download and Linux system installation:

- task: DownloadSecureFile@1
  name: caCertificate
  displayName: 'Download CA certificate'
  inputs:
    secureFile: 'myCACertificate.pem'
- script: |
    echo Installing $(caCertificate.secureFilePath)
    sudo chown root:root $(caCertificate.secureFilePath)
    sudo chmod a+r $(caCertificate.secureFilePath)
    sudo ln -s -t /etc/ssl/certs/ $(caCertificate.secureFilePath)