Re: [ansible-project] Vault pseudo leaf encryption

[Petros Moisiadis]

On 03/21/14 13:54, ralov...@gmail.com wrote: Hi all. (reposting because of a silly copy/paste error - sorry about that.) Vault was a great addition to Ansible. Some complained about the lack of leaf encryption. I just published a blog post about a few of our practices involving Ansible, and here is an excerpt about how we easily work around this limitation. Hope it helps some of you. (Blog post is here: http://reinteractive.net/posts/167-ansible-real-life-good-practices) Excerpt: Vault Pseudo leaf encryption Very recently, with version 1.5, Ansible introduced Ansible Vault, a way to encrypt data in the playbook, and decrypt it at run time. This feature was highly requested, and gives Ansible its true place among platform management tools. The thing is: what we like about Ansible is the readability, and encryption has a way of making things, well, less readable… ansible-vault command will encrypt or decrypt the whole var file, you can not encrypt just the value of a variable. The solution is simple enough: create a second var file, just for the sensitive data. But this raises another issue: your variables are now spread over multiple files, and some of them encrypted. This can get messy. For instance, if you define a dictionary of variables and only one of them is sensitive, you have to encrypt the whole dictionary. Leaf encryption was (is) a feature request, but in the meantime, there is an elegant way of keeping it both readable and secure: nested variables. For every sensitive variable, you create a prefixed double that goes in an encrypted file. # var_file db_password: {{ vaulted_db_passord }} # and for a dctionnary aws: - "access_key_id='abcdefgh'" - "secret_access_key='{{ vaulted_aws_secret_access_key }}'" # vault_file vaulted_db_passord: a_super_secret vaulted_aws_secret_access_key: the_aws_secret That way, you can manipulate all your vars like before, knowing the vaulted version stays encrypted. You can even solve the problem of having someone responsible for the encrypted file and the rest of the team never seeing its content but still being able to manage var files as they need. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2a8a43b6-b358-46a4-9d38-7874efc2fa8c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. Well, it will work, but this is still a workaround. You still have to maintain two files and edit them both for a single addition. Also, it becomes more complicated if you have repeated variable names and values. For example, how much complexity you have to introduce in your separate vault file in order to handle a simple variable file like the following ? system_users:   - username: john     password: secret_password_1   - username: alice     password: secret_password_2 db_users:   - username: john     password: another_secret_password_1   - username: alice     password: another_secret_password_2 Unfortunately, the Ansible team has not (yet) given an answer on whether a command-line option to enable a simple syntax for leaf-node encryption mode would be considered for ansible-vault (keeping the current whole-file encryption mode as the default mode). There was a feature request for this mode and discussion by many people _before_ vault's release and it seems it is still desired by people _after_ vault's release. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/532C4F9E.6030303%40yahoo.gr. For more options, visit https://groups.google.com/d/optout.