Posted on by miro

Ansible Vault

Ansible may need access to sensitive data such as passwords or API keys in order to configure remote servers. Normally, this information might be stored as plain text in inventory variables or other Ansible files. But in that case, any user with access to the Ansible files or a version control system which stores the Ansible files would have access to this sensitive data. This poses an
obvious security risk.

The ansible-vault command allows file encryption, and requires a password to unencrypt.

Command:

The ansible-vault rekey command will allow you to re-encrypt a file and reset the password.

To supply the vault password during play execution, you must use either of the --ask-vault-password or --ask-vault-file flags.

Since Ansible 2.4 the --vault-id can be used to indicate which vault ID (‘dev’, ‘prod’, ‘cloud’, etc) a password is for as well as how to source the password (prompt, a file path, etc). To use vault IDs, you must provide an ID label of your choosing and a source to obtain its password (either prompt or a file path):

It is also possible to set no_log within a module to censor sensitive log output.

 

The Ansible-Vault Command

Let’s create a text file:

Now we can ecrypt the file:

After the file has been encrypted we can also edit it:

And we can view the file after it was changed:

And we can also decrypt the file:

We can also encypt the string:

The string which we encrypt can be labeled by --vault-id:

To create a new encrypted data file, run the following command:

To create a new encrypted data file with the Vault ID ‘password1’ assigned to it and be prompted for the password, run:

To edit a file encrypted with the ‘vault2’ password file and assigned the ‘pass2’ vault ID:

Should you wish to change your password on a vault-encrypted file or files, you can do so with the rekey command:

To rekey files encrypted with the ‘preprod2’ vault ID and the ‘ppold’ file and be prompted for the new password:

If you have existing files that you wish to encrypt, use the ansible-vault encrypt command. This command can operate on multiple files at once:

To encrypt existing files with the ‘project’ ID and be prompted for the password:

 

Using Vaults in Playbooks

Let’s create playbook with vars located in the encrypted file:

File with vars:

File with password:

The file with password (vault) should be stored securely because if somebody gets this file, he can decrypt secure_var file.

Now we can encrypt file with vars (secure_var) using the label prod in the “vault” file:

Lets’s run the playbook now:

We must specify the vault password file with --vault-id file:

And the playbook runs without problems.

Now let’s run the same playbook with verbosity flag:

And we see that even we encrypt the secure_var file the meesage var can be seen.

Let’s modify the playbook no to log the output:

And the output has ben hidden.

 

Example 1.

In this exercise, you will create a new encrypted file, edit the file, and change the password on an existing encrypted file. You would also learn how to encrypt and decrypt an existing file.

Create an encrypted file named super-secret.yml under ~/ansible/vault.
Enter redhat as the vault password when prompted, and confirm.

Enter the following content into the file. Save and exit the file when you are finished.

Attempt to view the content of the encrypted file super-secret.yml.

As the file super-secret.yml is an encrypted file, you cannot view the content in plain text. The default cipher used is AES (which is shared-secret based).

To view the content of the Ansible Vault encrypted file, use the command ansible-vault view super-secret.yml. When prompted, enter the vault password as redhat.

Now edit the encrypted file super-secret.yml to add some new content. Use redhat as the vault password.

Enter the following content into the file. Save and exit the file when you are finished.

Verify by viewing the content of super-secret.yml, using ansible-vault view
super-secret.yml. Use the vault password as redhat.

Create file with password:

Encrypt file password

Change the vault password of the passwd

Decrypt the encrypted file passwd.yml and save the file as passwd-decrypted

Encrypt the existing file passwd-decrypted.yml and save the file as passwd-encrypted

 

Example 2.

Create an encrypted file named secret.yml in ~/ansible/vault/vars/ which
will contain sensitive playbook variables. Provide a password of redhat for the vault and confirm it.

Create the create_users.yml playbook. Note how it references vars/
secret.yml as an external playbook variables file.

Use ansible-playbook –syntax-check to check the syntax of the
create_users.yml playbook,

It failed because it was unable to decrypt vars/secret.yml to check its syntax. Add the –ask-vault-pass option to prompt for the vault password while decrypting vars/secret.yml.

Create a password file, called vault-pass, to use for the playbook execution instead of asking for a password. Store the vault password redhat as plain text. Change the permission of the file to 0600.

Execute the Ansible playbook, this time using the vault password file. This creates the demouser1 and demouser2 users on the managed hosts using the passwords stored as the pw fields in secret.yml.

Verify that both users (demouser1 and demouser2) were created properly by the playbook. Connect to managedhost1 via SSH as those users.

 

Example 3.

In this exercise, you will use Ansible Vault to encypt the file containing passwords on the local system and use that in a playbook to create users on the managedhost1 remote system.

Create an encrypted file named secret2.yml in ~/ansible/vault/. Provide
a password of redhat for the vault and confirm it. This will open a file in the default editor vim.

Create a playbook which will use the variables defined in the secret2.yml encrypted file. Name the playbook create_users2.yml and create it under the ~/ansible/vault/ directory.  Run this playbook as the miro user on the remote
managed host. Configure the playbook to create the ansibleuser1 and ansibleuser2 users.
The password stored as plain text in the variable, pw, should be converted into password hash using hashing filters password_hash to get SHA512 hashed password and passed as an argument to the user module. For example,

The content of the create_users.yml should be:

Check the syntax of the create_users.yml using ansible-playbook –syntaxcheck. Use the –ask-vault-pass option to prompt for the vault password set on secret.yml. In case of syntax error, resolve before continuing further.

Create a password file to use for the playbook execution instead of asking for a password. The file should be called vault-pass and it should store the redhat vault password as a plain text. Change the permission of the file to 0600.

Execute the Ansible playbook, using the vault password file to create the ansibleuser1 and ansibleuser2 users on a remote system using the passwords stored as variables in the secret.yml Ansible Vault encrypted file. Use the vault password file vault-pass.

Verify that both users were created properly by the playbook by connecting via SSH to managedhost2.

 

Example 4.

In this lab, you will encrypt and decrypt the YAML file containing variables for LUKS encryption which are sensitive. Use the encrypted file containing variables in a playbook to execute remote tasks on serverb.lab.example.com to create a LUKS encrypted partition on /dev/vdb. Edit the encrypted role variable file to add the path of the new 256-bit key file and add tasks to insert this key to an available key slot on the encrypted device /dev/vdb on
managedhostx.

Use the ansible-galaxy command to create a role named encryptdisk and its
directory structure.

Edit the encryptdisk role variable file, ~/ansible/roles/encryptdisk/
vars/main.yml, to add the following variables:

Encrypt the role variable file. Use redhat as the the vault password.
Use ansible-vault to encrypt the roles/encryptdisk/vars/main.yml role variable
file.

Create task to encrypt a block device as specified using the luks_dev variable.

Example not finished