I’m a French student working on a school project where we migrate an on-premises application to AWS using Ansible.
The infrastructure is deployed on AWS (EC2, RDS, etc.) and Ansible is used for configuring the servers.
In my current inventory, I defined sensitive variables like db_user and db_pass directly in YAML files.
It works, but I know this is a practice that should be completely avoided outside of a school context.
While reworking this project to improve it, I discovered Ansible Vault.
Now I would like to ask:
Is it possible (and recommended) to also store SSH keys in Ansible Vault?
Is it safe to push a Vault-encrypted file to Git? (I assume yes since it’s encrypted, but I’m still doubtful when thinking about a production use case ).
Is it possible (and recommended) to also store SSH keys in Ansible Vault?
Yes. You can encrypt string values or entire files using vault.
On a more pedantic note, you don’t store things in Ansible Vault. Vault is just a command line tool used to encrypt or decrypt values. It is similar to encoding or decoding something with base64 (obviously, vault is more secure)
Is it safe to push a Vault-encrypted file to Git?
It uses AES256 for encryption. It is very secure; I think storing secrets in git was probably a big use case when they created it
One warning: the security of an Ansible Vault encrypted file (or string) depends very much on the strength of the password. If you’re using short / simple passwords, or passwords that can easily be found by dictionary attacks, then Vault is not exactly safe. (The best encryption won’t help you.) But if you’re using strong passwords (preferably long, randomly generated ones), then it is safe. (I would still make sure that the Git repo has access restrictions to limit access to the least necessary number of persons.)
).