Yep, there’s nothing to say a YAML encryptor algorithm could not just encrypt the “leaf” values of every YAML data structure, and also insert some code in the top to indicate it is “vaulted”, even if something is as simple as a top level YAML hash element called “vault”.
what about a yaml interpreter hook like:
var: !!encrypted $6$ASDFSDH$%^DFF#$@E23435fSFWEFsd
I would put key location, method and salt in ansible.cfg/env vars.
We don’t want to do anything that uses more YAML arcanery. I want to keep us free to represent things in other data structures, so things should be done at the datastructure level.
Also any vault metadata stuff it should have to save, which should be basically nothing, should be in each file if possible.
I would recommend that before a solution is prepared:
-
most common usage scenarios of such a feature are known
-
exactly against which security attacks the solution should protect you against
I also like the idea of not reinventing the wheel and using GPG agent (most OS have support for its keys) or something that is known to work and be secure. Imho those who want to use this advanced features should know how to set up and work with GPG keys.
Greetings,
gw
You know, you could probably do this right now, today, with a combination of gpg & shell/command/raw
Playbook contains crypted text. Shell module calls out to gpg/agent/whatever and you register the decrypted result. (Does that make a secret show up in ps?)
Remember, keys are only for public key crypto. Symmetric crypto doesn’t need 'em.
Yeah, we’re not going to have playbook commands be part of that interface.
Want something a lot smoother than that 