Hi,
Is it technically possible to encrypt some sensitive data using available SSH public key, so that only the owner of private key could read them with the help of SSH agent?
Why?
That is an interesting idea 
It would mean as a team you would need to add a specific (team) key to your agent (and ensure this key is
suficiently protected) in order to execute the playbook.
So some way to test if the key is loaded before starting the playbook (or as part of the playbook) would be useful.
The initial idea was to have the same data encrypted by multiple keys, so
that any from the team can open it, and you don’t need to give everybody
some team key or team password - just add all public keys to the chain.
Of course this is possible only when the basic problem of reusing SSH
agent for decryption can be solved.
You can encrypt data using GPG keys for multiple recipients - each recipient can access the data using his/her GPG key. GPG keys can also be used to authorize SSH access via Monkeysphere Project. - http://web.monkeysphere.info/.
It’s been suggested that vault be taught to use GPG keys in addition to passwords, which is something I’m open to.
No pull requests have been submitted just yet - unless I’m misremembering.
Not against the option, by any means.
(Using SSH keys feels a little weird?)
Good pointer. It seems like there is no way to reuse SSH agent to decrypt the vault.
I need to read more about how GPG handles this, and I am somewhat concerned about
security of Monkeysphere.
You can keep your GPG keys in a private keyserver (sks for example), and distribute them to your servers that way.
It is super easy to do this with GPG, but afaik impossible to use this
for e.g. the sudo password:
http://paste.fedoraproject.org/94407/78404139
It might not be be error free due to ansible's bad encoding behaviour
and I stopped using it once I found out I cannot use it for sudo
passwords.
Regards
Till
If modifying vault to include GPG, the sudo password could be set with ansible_sudo_pass and then encoded with vault.