Ansible is a piece of configuration management software that can be used to manage a few computers or a lot of computers and as it does not install a client on the end device it (it’s configuration, playbooks and settings) can all be maintained on one computer which acts as the Ansible controller. But how do you keep the data on this one computer safe? The answer is Ansible Vault (and good security practises).
Before progressing, if you are new to Ansible please check out some of my previous blog posts about Ansible.
Ansible Vault allows you to encrypt and decrypt files via one line commands. For example lets say we have a file called secret_information.txt.
And in the file secret_information.txt is a super secret, confidential piece of information that is meant for geektechstuff.com readers only.
This file is going to be copied to every geektechstuff.com computer, but should be kept secret. Using the command:
ansible-vault encrypt secret_information.txt
and entering a password, the file is encrypted.
The file looks no different in the terminal but if it is opened then it will show the contents as encrypted. In this case I have used the command:
But cat or a text editor (e.g. Nano or Vim) could be used to get similar results. The first line of the file shows that Ansible Vault has encrypted the file using a AES 256 cipher.
The file can be decrypted using the command:
ansible-vault decrypt secret_information.txt
Which decrypts the file and makes the data readable again to commands like cat, less and nano, after the correct password has been entered.
If you want to edit an Ansible Vault encrypted file you could decrypt it, edit it and then encrypt it again but this is a little long winded when instead you could use the command:
ansible-vault edit secret_information.txt
This creates a temporary file and launches an editor for you to edit the text in the file.
Once you are done editing, save and close. The changes are saved, the file remains encrypted and the temporary file is removed.
What happens if you don’t like passwords though? This is where the Ansible Vault vault-id command can help. For this example I am going to be using the same secret_information.txt file, hopefully the top secret data has not been leaked out yet, alongside the opening few paragraphs of Lewis Carroll’s Alice In Wonderland.
I’ve placed this opening text into a file called alice.txt , it should be suitable to secure our top secret information as it contains lots of characters, upper case and lower case letters and punctuation marks.
Then when using the ansible-vault commands an additional option is added in called –vault-id which uses a file as the vault id (i.e. the password) and in this example it is using the opening of Alice In Wonderland, saved in the alice.txt file.
ansible-vault ACTION --vault-id ID_FILE FILE_TO_USE_ACTION_ON
ansible-vault encrypt --vault-id alice.txt secret_information.txt ansible-vault edit --vault-id alice.txt secret_information.txt ansible-vault decrypt --vault-id alice.txt secret_information.txt