Ooops ! I just pushed my unencrypted vault/secets file to the Git repo...

Maxime_Levesque · January 22, 2015, 3:44pm

Hello everyone, I had opened this “feature suggestion” issue :

https://github.com/ansible/ansible/issues/9990

And Toshio suggested I discuss it in the mailing list, so here I to :

The problem :

It is easy to add an unencrypted vault file to the Git index before commiting. The nature of Git will cause the secrets to be in the repo “forever”, unless a git rest + git force push is done.

A solution :

Have a switch to cause the naming of encrypted files to have different name (ex. append a suffix) than that of the clear YAML file,
so that the clear file can be added to .gitignore

This sounds like the simplest solution, but maybe there is a simpler way that could work without requiring changes/feature to the current ansible version.

Thanks for reading !

Henry_Finucane · January 22, 2015, 4:33pm

I solved this problem with a naming convention, and a git hook that
rejected files with that naming convention that were unencrypted (it's
pretty easy to tell- even when encrypted, they're still plain text,
and there's a header.)

Maxime_Levesque · January 22, 2015, 4:35pm

Cool, would you mind sharing your git hook config/code ?

Topic		Replies	Views
Transparently Encrypt Select Files within a Git Repository Ansible Project	2	0	February 14, 2014
vault and git do not mix Ansible Project	9	0	February 10, 2017
List all ansible-vault encrypted files? Ansible Project	4	1	January 28, 2017
git diff vault files Ansible Project	4	0	December 15, 2014
Is it possible to encrypt non-YAML data with Vault? Ansible Project	3	1	April 17, 2014

Ooops ! I just pushed my unencrypted vault/secets file to the Git repo...

Related topics