Our Java application is a job which SFTP's files to a remote location with a private key. For non-PROD testing, there is a lower-environment private key, and PROD has its own upper-environment private key.
If we don't check in any private keys into GitHub with the project, then a new developer will immediately fail on building/running the app. Both the job and its unit tests require a Private Key to exist somewhere on the user's machine. The only solution is to include a README.MD warning for new developers: "Obtain a private key, put it somewhere on your machine, and set the variable SFTP_PRIVATE_KEY in application.yaml to that location -- before you do anything!"
If we do check in the Non-PROD Private Key into GitHub, and the checked-in application.yaml points to that key, everything will work for new developers from the ground up. But we've heard that it's never allowed to check in any keys into GitHub.
Is it at least allowed to check in the Non-PROD Private Key into GitHub, to simplify this initial setup, or is it never a good idea?
SFTP Application code using the private key, e.g.:
byteArrayInputStreamJSON = new ByteArrayInputStream(bytesJSON);
jSch.addIdentity(filePrivateKey.getAbsolutePath(), sftpPrivateKeyPassphrase);
channelSftp.put(byteArrayInputStreamJSON, filename);
I think you sincerely misunderstand what a private key is: Private. It should never leave the origin host. And yet, you want to commit and push it to github?
I get what you're trying to do, but conceptually your approaching it wrong.
If you want to continue with ssh+private keys, then new devs need to generate a new keypair and then add their public key to .ssh/authorized_keys - you can do this by using a previous key
Another approach, If you really insist on sharing accounts and keys, then instead of checking it into github, provision new dev laptops with the private key already on their box.Or put the key on a shared internal drive/mount that requires authentication. Then update your process to use that specific key: scp -i /path/to/mykey user@host for either of these cases
Finally, you can use a key with password encryption. At that point you share the password with your devs and you can put the private key anywhere you want (though, security experts would cringe). Sharing the password should be out-of-band.
If you're looking for a zero effort solution, there isn't one and that's by design. Private keys are meant to be private and also individual to a user. If you share a key, it's like sharing a password. Would you check a password into github? Many would, but then no one should cry when they have security breaches.