Private key security updates/fixes

deployments/Dockerfiles/autonomy/scripts/start.sh

@@ -52,8 +52,14 @@ function handleCosmosConnectionKeyAndCerts() {
     if [ ! -f "cosmos_private_key.txt" ]; then
         generateKey cosmos
     fi
-    aea add-key cosmos --connection
-    aea issue-certificates
+
+    if [[ "$AEA_PASSWORD" != "" ]]; then
+        aea add-key cosmos --connection --password $AEA_PASSWORD
+        aea issue-certificates --password $AEA_PASSWORD
+    else
+        aea add-key cosmos --connection
+        aea issue-certificates
+    fi
 }
 
 function runAgent() {

docs/advanced_reference/commands/autonomy_deploy.md

@@ -114,6 +114,31 @@ autonomy deploy build keys.json -ltm
 
 Builds a service deployment using the keys stored in the file `keys.json` and applying environment variables to the service configuration file. The deployment will be generated by default for as many agents as keys are stored in `keys.json`. By default, the command searches for the file `keys.json`, if no file name is provided.
 
+### Private key security
+
+When building deployments, you can use password protected privates keys (eg. generated using `autonomy generate-key LEDGER --password PASSWORD`) to avoid exposing them. 
+
+#### Docker Compose
+
+In a `docker-compose` deployment you can just export `OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD` environment variable before running the deployment like
+
+```bash
+OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD=PASSWORD autonomy deploy run --build-dir PATH_TO_BUILD_DIR
+```
+
+or 
+
+```bash
+OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD=PASSWORD docker-compose -f PATH_TO_BUILD_DIR/docker-compose.yaml up
+```
+
+#### Kubernetes
+
+In a `kubernetes` deployment, you'll have to export the `OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD` variable when building the deployment, not when running.
+
+```bash
+OPEN_AUTONOMY_PRIVATE_KEY_PASSWORD=PASSWORD autonomy deploy build (...)
+```
 
 ## `autonomy deploy run`