I can’t be the only one having this problem:
We’re using vault files to store sensitive info (such as passwords or private keys). Vault files, along with Ansible playbooks, roles, inventories, etc are checked into GitHub.
Using git works great for all Ansible files, except vaults. They’re binary. Merging contributions from multiple team members is a nightmare.
Any ideas how to make life with vaults less painful?
I've heard of a couple of ideas for doing value-level encryption in
Ansible, including from someone at Red Hat / Ansible (Justin Nemmers)
last October at AnsibleFest, but no details about whether anything like
this might make it into Ansible at some point.
I think it'd be a great feature, but maybe there aren't that many people
who want to store encrypted information in their revision control system,
dunno.
-Josh (jbs@care.com)
(apologies for the automatic corporate disclaimer that follows)
This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.
This is a problem with all encryption/versioning, as encryption is supposed to change dramatically for small changes in source.
Vault is not binary, it is just encrypting the whole file in this case so any change will create a different ‘encrypted string’ as per above.
Ansible already supports ‘single variable’ encryption in a vars file, which will mitigate this issue.
This is a problem with all encryption/versioning, as encryption is
supposed to change dramatically for small changes in source.
Sure, but if you only encrypt the values, then when you change one of the
values, or when you change something that isn't encrypted at all, the
others don't change, and you can get a useful diff.
Ansible already supports 'single variable' encryption in a vars file,
which will mitigate this issue.
I searched for "single variable" on docs.ansible.com, and didn't see
anything. Got a pointer to more info?
-Josh (jbs@care.com)
(apologies for the automatic corporate disclaimer that follows)
This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.
As far as git is concerned, vault might as well be binary. Anyway, it doesn’t know how to diff/merge it. And that’s the root of the problem here.
https://github.com/building5/ansible-vault-tools
https://stackoverflow.com/questions/29937195/how-to-diff-ansible-vault-changes
https://selivan.github.io/2016/11/29/ansible-human-readable-git-diff-for-vault.html
HTH
Ted
https://github.com/building5/ansible-vault-tools
https://stackoverflow.com/questions/29937195/how-to-diff-ansible-vault-changes
https://selivan.github.io/2016/11/29/ansible-human-readable-git-diff-for-vault.html
These are neat, but they're not value-level encryption. You still can't do
a 'find ... grep' through your clone to find where a variable is defined,
if it's an file whose contents are entirely encrypted.
Ansible already supports 'single variable' encryption in a vars file,
which will mitigate this issue.
Brian, any pointers to more info about this?
-Josh (jbs@care.com)
This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.
http://docs.ansible.com/ansible/playbooks_vault.html#single-encrypted-variable
Ooh, that looks terrific, and that page shows up when I search for "single
encrypted variable" now, which it didn't when I checked a week or two ago.
Thanks!
-Josh (jbs@care.com)
(apologies for the automatic corporate disclaimer that follows)
This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.
I'm using hashicorp's https://vaultproject.io/ to store secrets, and
then doing lookups in ansible playbooks to retrieve the secrets. This
works brilliantly, using https://github.com/jhaals/ansible-vault/ as a
plugin. You can use the file backend of vault, and wire that up to a
git/github repo to store the secrets. The encrypted files are unusable
without the unseal keys, and thus you have a nice separation of concerns
/repos between key storage and ansible tasks.
A+
Dave