Hi All!
Can the passowrd for my actual vault file as shown /etc/ansible/group_vars/.vltfile.yml be encrypted? Will ansible auto decrypt it? My client vault file which holds the actual user-names and password is encryted but I never found or disceoverd it your password vault file can be from the docs. thank you!
short answer: no
long answer: yes, but ... you need to provide iit decrypted for
ansible to use, this can just end up 'offsetting' the secret over and
over as you chain them. Normally system permissions should be enough
to keep the secret safe. For those that don't find this as enough you
can store the secret elsewhere and use a 'vault secrets script' to
retrieve it this lets you integrate with things like an HSM or other
security devices/databses.
From docs (https://docs.ansible.com/ansible/2.8/user_guide/playbooks_vault.html):
If you are using a script instead of a flat file, ensure that it is
marked as executable, and that the password is printed to standard
output. If your script needs to prompt for data, prompts can be sent
to standard error.