Securing Automation: Exploring Ansible Vault Essentials

Securing Automation: Exploring Ansible Vault Essentials

#day71 of #90daysofdevops

ยท

6 min read

What is Ansible Vault?

  • Ansible Vault is a feature in Ansible that provides secure storage and encryption of sensitive information such as passwords, API keys, and other secrets.

  • It ensures that confidential data within Ansible playbooks is encrypted and protected.

Key Features:

  • Encryption: Ansible Vault encrypts sensitive data, making it unreadable to anyone without the decryption key.

  • Integration: It seamlessly integrates with Ansible, allowing encrypted data to be used in playbooks.

  • Idempotent: Encrypting the same data with the same password results in the same encrypted output, ensuring idempotence.


Creating encrypted files

Creating an encrypted file using Ansible Vault involves a straightforward process, providing a secure method for storing sensitive information. Here are the steps to create, view, and edit an encrypted file:

  1. Creating an Encrypted File:

    • To initiate the creation of a new encrypted file, use the ansible-vault create command.

    • Example:

        ansible-vault create secret.txt
      
    • The command prompts for a vault password, which you'll use to open the file later.

  2. Inserting Content:

    • Once the vault password is entered, the default file editor opens, allowing you to insert content securely.

    • Example:

        I hold the key to the universe.
      
    • Save and exit the file.

  3. Viewing the Encrypted File:

    • To view the encrypted file content, use the ansible-vault view command.

    • Example:

        ansible-vault view secret.txt
      
    • You'll be prompted for the vault password, and upon entering it, the decrypted content is displayed.

  4. Storing Vault Password in a Separate File:

    • You can store the vault password in a separate file, enhancing security and convenience.

    • Example:

        echo 'your_vault_password' > secret-vault.txt
      

  5. Viewing with Separate Vault Password File:

    • Use the --vault-password-file option to reference the vault password file when viewing the encrypted file.

    • Example:

        ansible-vault view secret.txt --vault-password-file secret-vault.txt
      
    • This approach eliminates the need for entering the vault password interactively.

  6. Modifying Encrypted File Content:

    • To edit the contents of an encrypted file, use the ansible-vault edit command.

    • Note: you don't directly edit the vault file.

    • Example:

        ansible-vault edit secret.txt
      
    • You'll be prompted for the vault password before opening the file for editing.

    • The --vault-password-file option can also be used with the ansible-vault edit command.

By following these steps, you can effectively create, manage, and secure sensitive information using Ansible Vault.


Decrypting encrypted files

Decrypting encrypted files in Ansible Vault involves using the ansible-vault decrypt command. Here's a step-by-step guide:

  1. Create Encrypted File:

    • To create a new encrypted file, use the ansible-vault create command.

    • Example:

        ansible-vault create secret2.txt
      
    • Enter and confirm the vault password and insert the desired content.

  2. View Encrypted File (Optional):

    • You can view the encrypted file to confirm its content.

    • Example:

        cat secret2.txt
      

      Not understandable:)

  3. Decrypt Encrypted File:

    • If you decide that the information is no longer sensitive and want to decrypt the file, use the ansible-vault decrypt command.

    • Example:

        ansible-vault decrypt secret2.txt
      
    • You'll be prompted for the vault password.

  4. Confirm Decryption:

    • After entering the vault password, Ansible Vault decrypts the file and confirms the decryption success.

    • Example:

        cat secret2.txt
      
    • The contents of the file are now visible and no longer encrypted.

By following these steps, you can decrypt a vault-encrypted file when needed. Keep in mind that decryption requires the vault password used during encryption.


Changing an encrypted file's password

Changing the password of an encrypted file in Ansible Vault involves using the ansible-vault rekey command. Here's how you can do it:

  1. Encrypt Existing File (Optional):

    • You can encrypt an existing unencrypted file using the ansible-vault encrypt command.

    • Example:

        ansible-vault encrypt secret2.txt
      
    • Enter and confirm the new vault password.

  2. View Encrypted File (Optional):

    • You can view the encrypted file to confirm its content.

    • Example:

        cat secret2.txt
      

  3. Rekey Encrypted File:

    • If the vault password is compromised or needs to be changed, use the ansible-vault rekey command.

    • Example:

        ansible-vault rekey secret2.txt
      
    • You'll be prompted to enter the old vault password, then the new one.

  4. Confirm Rekey:

    • After entering both the old and new vault passwords, Ansible Vault rekeys the file and confirms the rekey success.

    • Example:

        Rekey successful
      

By following these steps, you can change the vault password of an encrypted file in Ansible Vault, ensuring the security of sensitive information.


Decrypting content at run time in playbooks

Encrypting files with Ansible Vault provides an extra layer of security for sensitive information. Let's explore how to create, view, and utilize encrypted files in Ansible playbooks:

  1. Create Encrypted File:

    • Use ansible-vault create to create a new encrypted file.

    • Example:

        ansible-vault create web-secrets.yml
      
    • Enter and confirm the new vault password.

    • Insert content into the file.

  2. View Encrypted File:

    • Use ansible-vault view to view the content of an encrypted file.

    • Example:

        ansible-vault view web-secrets.yml
      
    • Enter the vault password.

  3. Create Ansible Playbook:

    • Create a playbook (e.g., vault-playbook.yml) accessing variables from encrypted files.

    • Example playbook content:

        ---
        - name: Accessing Vaults in Playbooks
          hosts: node2
          vars_files:
            - web-secrets.yml
          tasks:
            - name: Show secret1 value
              debug:
                msg: "{{ secret1 }}"
      

      Note: I run this on the master node

  4. Run Playbook with Vault Password:

    Notice how vault-playbook.yml is accessing variables in the vault encrypted file web-secrets.yml.

    Now try running the playbook: ansible-playbook vault-playbook.yml

    ERROR! Attempting to decrypt but no vault secrets found

    As you can see; it is complaining as it didnโ€™t receive a vault password to decrypt the web-secrets.yml file.

    Now run the playbook again but pass the --ask-vault-pass option this time around:

    • Run the playbook using ansible-playbook and provide the vault password.

    • Example:

        ansible-playbook --ask-vault-pass vault-playbook.yml
      

By following these steps, you can effectively manage and utilize encrypted files in Ansible, ensuring the security of sensitive information in your automation workflows.


Connect with me:)

Thank you for diving into this blog with me! I trust you found the information both helpful and enlightening. To stay updated on the latest in DevOps ๐Ÿš€, make sure to follow me. Remember, staying informed means staying ahead in the dynamic world of DevOps!

Feel free to connect with me on:

LinkedIn

Twitter

GitHub

For more updates and engaging discussions on DevOps, let's connect! ๐Ÿš€ #DevOpsCommunity

ย