The Ansible project has introduced a new feature called vault which allows us to encrypt configuration files with a symmetric AES key. The idea is you have playbooks or vars files which contain sensitive data, and you want to protect this data from prying eyes, say, when you check the files into a repository or generally share them.

In order to use these encrypted files, the ansible and ansible-playbook utilities have acquired a new command-line option called --ask-vault-pass which prompts for the secret key in order for Ansible to be able to decrypt and hence use the files while it does its "thing".

$ ansible-vault create jp.yml
Vault password:
Confirm Vault password:

[ ... edit file ... ]

$ cat jp.yml

$ ansible-playbook --ask-vault-pass jp.yml
Vault password:

This is useful as a first cut of the feature, but I'm disappointed, and the worst bit is: it's my fault.

I'm disappointed because we can use one password only on files which belong to a single playbook, unless I've misunderstood something. Also, this will not work in "pull mode" because there's no one there to enter the password. Update 2014-02-28: a command --vault-password-file ~/.vault_pass.txt was added in the mean time. I'm also disappointed because the whole file is encrypted, not just the individual values which I consider worthy of protection. At the time, I said:

I don't think encrypting vars files completely is useful: makes things like grep, and diff impossible to use.

I believe it was I who kicked off the discussion of a vault feature, after a number of people I spoke to had requested something able to protect sensitive data. (We also talked about this when we met in Antwerp at the Ansible day.) My original post to the Ansible mailing-list is dated June 2013, and a very long discussion ensued, with lots of good ideas being thrown around.

We closed my first pull-request, which contained a very early prototype implemented as a lookup plugin (if I recall correctly; it was maybe a Jinja2 filter ..), and further, very fruitful IMO, discussion arose.

What I was aiming for was an RPC-type system with an "agent" which is fed a bunch of named keys. At the moment the agent starts, or rather when a key is introduced to the agent, the operator is prompted for its password. From that point on, until the agent dies, Ansible invokes an RPC to the central agent in order to have it decrypt the data, and Ansible uses the clear text it receives from the agent to do whatever it must do.

What I'd also hoped for, was a possibility to encrypt just certain values, in order to keep the basic content of the YAML files legible. Something like this:

admin: Jane Jolie
dbpassword: @vault@"AHchx0a+G8mejs84tGxCNKxMFP7tM7Y7kl"
webservertype: nginx

Why's it my fault, you ask? I got sidetracked with a huge pile of work, and in spite of Michael (and several other pople) asking me repeatedly about progress on the code, I just didn't get around to converting my proof of concept to decent code for inclusion in Ansible. Worse: I ignored requests of submitting whatever snippets of code I already had.

I am very sorry about this.


blog comments powered by Disqus