{"id":3328,"date":"2020-02-13T16:32:43","date_gmt":"2020-02-13T15:32:43","guid":{"rendered":"http:\/\/miro.borodziuk.eu\/?p=3328"},"modified":"2020-05-11T21:59:59","modified_gmt":"2020-05-11T19:59:59","slug":"ansible-vault","status":"publish","type":"post","link":"http:\/\/miro.borodziuk.eu\/index.php\/2020\/02\/13\/ansible-vault\/","title":{"rendered":"Ansible Vault"},"content":{"rendered":"

Ansible may need access to sensitive data such as passwords or API keys in order to configure remote servers. Normally, this information might be stored as plain text in inventory variables or other Ansible files. But in that case, any user with access to the Ansible files or a version control system which stores the Ansible files would have access to this sensitive data. This poses an
\nobvious security risk.<\/p>\n

<\/p>\n

The ansible-vault<\/code> command allows file encryption, and requires a password to unencrypt.<\/p>\n

Command:<\/p>\n

$ ansible-vault encrypt <file><\/pre>\n
The ansible-vault rekey<\/code> command will allow you to re-encrypt<\/strong> a file and reset the password.<\/p>\n
To supply the vault password during play execution, you must use either of the --ask-vault-password<\/code> or --ask-vault-file<\/code> flags.<\/p>\n
Since Ansible 2.4 the --vault-id<\/span><\/code><\/a> can be used to indicate which vault ID (\u2018dev\u2019, \u2018prod\u2019, \u2018cloud\u2019, etc) a password is for as well as how to source the password (prompt, a file path, etc). To use vault IDs, you must provide an ID label<\/em> of your choosing and a source<\/em> to obtain its password (either prompt<\/span><\/code> or a file path):<\/p>\n
\n
\n
--vault-id label@source\r\n<\/pre>\n<\/div>\n<\/div>\n
It is also possible to set no_log<\/code> <\/strong>within a module to censor sensitive log output.<\/p>\n
 <\/p>\n
The Ansible-Vault Command<\/span><\/p>\n
Let’s create a text file:<\/p>\n
[miro@controlnode vault]$ echo \"Hello world\" > secret.txt\r\n[miro@controlnode vault]$ cat secret.txt\r\nHello world<\/pre>\n
Now we can ecrypt<\/strong> the file:<\/p>\n
[miro@controlnode vault]$ ansible-vault encrypt secret.txt\r\nNew Vault password:\r\nConfirm New Vault password:\r\nEncryption successful\r\n[miro@controlnode vault]$ cat secret.txt\r\n$ANSIBLE_VAULT;1.1;AES256\r\n39333236373633343338333333313933336538383062626339656263653038353862393366373662\r\n6634323132323335333536393736643365633562366162380a386534376463626535346431306535\r\n37306339323964343265643339393162626437396130313463646136363532303163343661323931\r\n3937363931343463610a623630313037333930356263396666363264363132633962323433656230\r\n6239<\/pre>\n
After the file has been encrypted we can also edit<\/strong> it:<\/p>\n
[miro@controlnode vault]$ ansible-vault edit secret.txt\r\nVault password:\r\n\r\nHello world edited\r\n~<\/pre>\n
And we can view<\/strong> the file after it was changed:<\/p>\n
[miro@controlnode vault]$ ansible-vault view secret.txt\r\nVault password:\r\nHello world edited<\/pre>\n
And we can also decrypt<\/strong> the file:<\/p>\n
[miro@controlnode vault]$ ansible-vault decrypt secret.txt\r\nVault password:\r\nDecryption successful\r\n[miro@controlnode vault]$ cat secret.txt\r\nHello world edited<\/pre>\n
We can also encypt the string<\/strong>:<\/p>\n
[miro@controlnode vault]$ ansible-vault encrypt_string \"Some string\" -n meaning\r\nNew Vault password:\r\nConfirm New Vault password:\r\nmeaning: !vault |\r\n$ANSIBLE_VAULT;1.1;AES256\r\n65666136326337656261316630326164333139633135316639366131363335383133326162353961\r\n6534623362646631313961326666613832626635616133660a393062613365646435363762323539\r\n33626136626633323536613736666234633633363662633661336538623866636231356266336665\r\n6334633733356434640a376536633035356534353565313737666365393761353834306637346362\r\n3661\r\nEncryption successful\r\n<\/pre>\n
The string which we encrypt can be labeled by --vault-id<\/code><\/strong>:<\/p>\n
[miro@controlnode vault]$ ansible-vault encrypt_string \"Some string\" -n meaning --vault-id dev@prompt\r\nNew vault password (dev):\r\nConfirm vew vault password (dev):\r\nmeaning: !vault |\r\n$ANSIBLE_VAULT;1.2;AES256;dev\r\n62353339333430353163643064366237316532633462303863623461356239666535663133323239\r\n3338633135323465313163373865383865396432613037660a626236386331356566366532333362\r\n31333637376139313236323466393338373064313062303833386338613932353465356437366535\r\n3038333936623433320a323565336361363138346364313062386433633965343461663530346339\r\n3163\r\nEncryption successful<\/pre>\n
To create<\/strong> a new encrypted data file, run the following command:<\/p>\n
[miro@controlnode ansible]$ ansible-vault create foo.yml\r\nNew Vault password:\r\nConfirm New Vault password:<\/pre>\n
To create<\/strong> a new encrypted data file with the Vault ID<\/strong> \u2018password1\u2019 assigned to it and be prompted for the password, run:<\/p>\n
[miro@controlnode ansible]$ ansible-vault create --vault-id password1@prompt foo.yml\r\nNew vault password (password1):<\/pre>\n
To edit a file encrypted with the \u2018vault2\u2019 password file and assigned the \u2018pass2\u2019 vault ID:<\/p>\n
\n
\n
[miro@controlnode ansible]$ ansible-vault edit --vault-id pass2@vault2 foo.yml\r\n<\/pre>\n<\/div>\n<\/div>\n
Should you wish to change your password on a vault-encrypted file or files, you can do so with the rekey command:<\/p>\n
\n
\n
$ ansible-vault rekey foo.yml bar.yml baz.yml\r\n<\/pre>\n<\/div>\n<\/div>\n
To rekey files encrypted with the \u2018preprod2\u2019 vault ID and the \u2018ppold\u2019 file and be prompted for the new password:<\/p>\n
\n
\n
$ ansible-vault rekey --vault-id preprod2@ppold --new-vault-id preprod2@prompt foo.yml bar.yml baz.yml\r\n<\/pre>\n<\/div>\n<\/div>\n
If you have existing files that you wish to encrypt, use the ansible-vault encrypt<\/span><\/a> command. This command can operate on multiple files at once:<\/p>\n
\n
\n
$ ansible-vault encrypt foo.yml bar.yml baz.yml\r\n<\/pre>\n<\/div>\n<\/div>\n
To encrypt existing files with the \u2018project\u2019 ID and be prompted for the password:<\/p>\n
\n
\n
$ ansible-vault encrypt --vault-id project@prompt foo.yml bar.yml baz.yml\r\n<\/pre>\n<\/div>\n<\/div>\n
 <\/p>\n
Using Vaults in Playbooks<\/span><\/p>\n
Let’s create playbook with vars located in the encrypted file:<\/p>\n
[miro@controlnode vault]$ cat vault.yml\r\n---\r\n- hosts: localhost\r\n  vars_files:\r\n  - \/home\/miro\/ansible\/vault\/secure_var\r\n  tasks:\r\n  - name: Output message\r\n    shell: echo {{ message}} > \/home\/user\/vault\/deployed.txt<\/pre>\n
File with vars:<\/p>\n
[miro@controlnode vault]$ cat secure_var\r\nmessage: \"Hello world\"<\/pre>\n
File with password:<\/p>\n
[miro@controlnode vault]$ cat vault\r\nexample_of_password<\/pre>\n
The file with password (vault<\/code>) should be stored securely because if somebody gets this file, he can decrypt secure_var<\/code> file.<\/p>\n
Now we can encrypt file with vars (secure_var<\/code>) using the label prod<\/code> in the “vault” file:<\/p>\n
[miro@controlnode vault]$ ansible-vault encrypt --vault-id prod@vault secure_var\r\nEncryption successful\r\n\r\n[miro@controlnode vault]$ cat secure_var\r\n$ANSIBLE_VAULT;1.2;AES256;prod\r\n61386632306362663233343663383435666334303530613331396337613962383035376132656530\r\n3835353062303932373536636633343166373666663238390a396531343930366439386663393563\r\n61306235343664646233623739393065373034663837633065663666643164636262353732393339\r\n6439363665393561360a393863666565366635306661643135613138653234386663306236313539\r\n30303334633331303230613237626336396138313636653935316164356362633236\r\n<\/pre>\n
Lets’s run the playbook now:<\/p>\n
[miro@controlnode vault]$ ansible-playbook vault.yml\r\nERROR! Attempting to decrypt but no vault secrets found<\/pre>\n
We must specify the vault password file with --vault-id<\/code> file:<\/p>\n
[miro@controlnode vault]$ ansible-playbook vault.yml --vault-id prod@vault\r\n\r\nPLAY [localhost] *****************************************************************************************************************\r\n\r\nTASK [Gathering Facts] ***********************************************************************************************************\r\nok: [localhost]\r\n\r\nTASK [Output message] ************************************************************************************************************\r\nchanged: [localhost]\r\n\r\nPLAY RECAP ***********************************************************************************************************************\r\nlocalhost : ok=2 changed=1 unreachable=0 failed=0\r\n\r\n[miro@controlnode vault]$ cat deployed.txt\r\nHello world<\/pre>\n
And the playbook runs without problems.<\/p>\n
Now let’s run the same playbook with verbosity flag:<\/p>\n
[miro@controlnode vault]$ ansible-playbook -v vault.yml --vault-id prod@vault\r\nUsing \/etc\/ansible\/ansible.cfg as config file\r\n\r\nPLAY [localhost] ************************************************************************************************************************************************************************\r\n\r\nTASK [Gathering Facts] ******************************************************************************************************************************************************************\r\nok: [localhost]\r\n\r\nTASK [Output message] *******************************************************************************************************************************************************************\r\nchanged: [localhost] => {\"changed\": true, \"cmd\": \"echo Hello world<\/strong> > \/home\/miro\/ansible\/vault\/deployed.txt\", \"delta\": \"0:00:00.003909\", \"end\": \"2020-04-18 15:18:57.860573\", \"rc\": 0, \"start\": \"2020-04-18 15:18:57.856664\", \"stderr\": \"\", \"stderr_lines\": [], \"stdout\": \"\", \"stdout_lines\": []}\r\n\r\nPLAY RECAP ******************************************************************************************************************************************************************************\r\nlocalhost : ok=2 changed=1 unreachable=0 failed=0<\/pre>\n
And we see that even we encrypt the secure_var file the meesage var can be seen.<\/p>\n
Let’s modify the playbook no to log the output:<\/p>\n
[miro@controlnode vault]$ cat vault.yml\r\n---\r\n- hosts: localhost\r\n  vars_files:\r\n  - \/home\/miro\/ansible\/vault\/secure_var\r\n  tasks:\r\n  - name: Output message\r\n    shell: echo {{ message}} > \/home\/miro\/ansible\/vault\/deployed.txt\r\n    no_log: true\r\n\r\n[miro@controlnode vault]$\r\n[miro@controlnode vault]$\r\n[miro@controlnode vault]$ ansible-playbook -v vault.yml --vault-id prod@vault\r\nUsing \/etc\/ansible\/ansible.cfg as config file\r\n\r\nPLAY [localhost] ************************************************************************************************************************************************************************\r\n\r\nTASK [Gathering Facts] ******************************************************************************************************************************************************************\r\nok: [localhost]\r\n\r\nTASK [Output message] *******************************************************************************************************************************************************************\r\nok: [localhost] => {\"censored\": \"the output has been hidden due to the fact that 'no_log: true' was specified for this result\"}\r\n\r\nPLAY RECAP ******************************************************************************************************************************************************************************\r\nlocalhost : ok=2 changed=1 unreachable=0 failed=0<\/pre>\n
And the output has ben hidden.<\/p>\n
 <\/p>\n
Example 1.<\/span><\/p>\n
In this exercise, you will create a new encrypted file, edit the file, and change the password on an existing encrypted file. You would also learn how to encrypt and decrypt an existing file.<\/p>\n
Create an encrypted file named super-secret.yml under ~\/ansible\/vault.
\nEnter redhat as the vault password when prompted, and confirm.<\/p>\n
[miro@controlnode vault]$ ansible-vault create super-secret.yml\r\nNew Vault password:\r\nConfirm New Vault password:<\/pre>\n
Enter the following content into the file. Save and exit the file when you are finished.<\/p>\n
This is encrypted.<\/pre>\n
Attempt to view the content of the encrypted file super-secret.yml.<\/p>\n
[miro@controlnode vault]$ cat super-secret.yml\r\n$ANSIBLE_VAULT;1.1;AES256\r\n30623932663266303862663737666561386666383065623665346361373333623131393661626262\r\n6362663464346266633162376130363737303632633232620a346265303061663764383834346465\r\n33303166333561373637376566303739653631386636613334303162303864353031373337653833\r\n6239666463383333390a323330646363343566353735343364626239326365323862643837353863\r\n61333830353566643235613366613165626365366236343539616431366661373139<\/pre>\n
As the file super-secret.yml is an encrypted file, you cannot view the content in plain text. The default cipher used is AES (which is shared-secret based).<\/p>\n
To view the content of the Ansible Vault encrypted file, use the command ansible-vault view super-secret.yml. When prompted, enter the vault password as redhat.<\/p>\n
[miro@controlnode vault]$ ansible-vault view super-secret.yml\r\nVault password:\r\nThis is encrypted.<\/pre>\n
Now edit the encrypted file super-secret.yml to add some new content. Use redhat as the vault password.<\/p>\n
[miro@controlnode vault]$ ansible-vault edit super-secret.yml\r\nVault password:<\/pre>\n
Enter the following content into the file. Save and exit the file when you are finished.<\/p>\n
This is also encrypted.<\/pre>\n
Verify by viewing the content of super-secret.yml, using ansible-vault view
\nsuper-secret.yml. Use the vault password as redhat.<\/p>\n
[miro@controlnode vault]$ ansible-vault view super-secret.yml\r\nVault password:\r\nThis is encrypted.\r\nThis is also encypted.<\/pre>\n
Create file with password:<\/p>\n
[miro@controlnode vault]$ echo 'user_pw: 5pjsBJxAWUs6pRWD5itO\/' > passwd<\/pre>\n
Encrypt file password<\/p>\n
[miro@controlnode vault]$ ansible-vault encrypt passwd\r\nNew Vault password:\r\nConfirm New Vault password:\r\nEncryption successful<\/pre>\n
Change the vault password of the passwd<\/p>\n
[miro@controlnode vault]$ ansible-vault rekey passwd\r\nVault password:\r\nNew Vault password:\r\nConfirm New Vault password:\r\nRekey successful<\/pre>\n
Decrypt the encrypted file passwd.yml and save the file as passwd-decrypted<\/p>\n
[miro@controlnode vault]$ ansible-vault decrypt passwd --output=passwd-decrypted\r\nVault password:\r\nDecryption successful\r\n[miro@controlnode vault]$ cat passwd-decrypted\r\nuser_pw: 5pjsBJxAWUs6pRWD5itO\/<\/pre>\n
Encrypt the existing file passwd-decrypted.yml and save the file as passwd-encrypted<\/p>\n
[miro@controlnode vault]$ ansible-vault encrypt passwd-decrypted --output=passwd-encrypted\r\nNew Vault password:\r\nConfirm New Vault password:\r\nEncryption successful\r\n[miro@controlnode vault]$ cat passwd-encrypted\r\n$ANSIBLE_VAULT;1.1;AES256\r\n31616630343665666663393336316637333837616561323033393063326361333434623839646635\r\n6132613232306462633833636235363966633562393733640a383266393463613265323662363430\r\n35343330346430653066643732623031623863353131366336376465626465643330356230346335\r\n6562383561353366360a363833313963653362316137396566646534396135306164393863346664\r\n63656632623339396164313531396665323265303963343632333766353166333462<\/pre>\n
 <\/p>\n
Example 2.<\/span><\/p>\n
Create an encrypted file named secret.yml in ~\/ansible\/vault\/vars\/ which
\nwill contain sensitive playbook variables. Provide a password of redhat for the vault and confirm it.<\/p>\n
[miro@controlnode vault]$ mkdir vars\r\n[miro@controlnode vault]$ ansible-vault create vars\/secret.yml\r\nNew Vault password:\r\nConfirm New Vault password:\r\n\r\n[miro@controlnode vault]$ ansible-vault view vars\/secret.yml\r\nVault password:\r\n\r\nnewusers:\r\n- name: demouser1\r\npw: redhat\r\n- name: demouser2\r\npw: RedHat\r\n<\/pre>\n
Create the create_users.yml playbook. Note how it references vars\/
\nsecret.yml as an external playbook variables file.<\/p>\n
[miro@controlnode vault]$ cat create_users.yml\r\n---\r\n- name: create user accounts for all our servers\r\n  hosts: managedhost1\r\n  become: yes\r\n  vars_files:\r\n    - vars\/secret.yml\r\n  tasks:\r\n    - name: Creating users from secret.yml\r\n      user:\r\n        name: \"{{ item.name }}\"\r\n        password: \"{{ item.pw | password_hash('sha512') }}\"\r\n      with_items: \"{{ newusers }}\"<\/pre>\n
Use ansible-playbook –syntax-check to check the syntax of the
\ncreate_users.yml playbook,<\/p>\n
[miro@controlnode vault]$ ansible-playbook --syntax-check create_users.yml\r\nERROR! Attempting to decrypt but no vault secrets found<\/pre>\n
It failed because it was unable to decrypt vars\/secret.yml to check its syntax. Add the –ask-vault-pass option to prompt for the vault password while decrypting vars\/secret.yml.<\/p>\n
[miro@controlnode vault]$ ansible-playbook --syntax-check --ask-vault-pass create_users.yml\r\nVault password:\r\n\r\nplaybook: create_users.yml<\/pre>\n
Create a password file, called vault-pass, to use for the playbook execution instead of asking for a password. Store the vault password redhat as plain text. Change the permission of the file to 0600.<\/p>\n
[miro@controlnode vault]$ echo 'redhat' > vault-pass\r\n[miro@controlnode vault]$ chmod 0600 vault-pass<\/pre>\n
Execute the Ansible playbook, this time using the vault password file. This creates the demouser1 and demouser2 users on the managed hosts using the passwords stored as the pw fields in secret.yml.<\/p>\n
[miro@controlnode vault]$ ansible-playbook --vault-password-file=vault-pass create_users.yml\r\n\r\nPLAY [create user accounts for all our servers] ******************************************************************************\r\n\r\nTASK [Gathering Facts] *******************************************************************************************************\r\nok: [managedhost1]\r\n\r\nTASK [Creating users from secret.yml] ****************************************************************************************\r\nchanged: [managedhost1] => (item={u'name': u'demouser1', u'pw': u'redhat'})\r\nchanged: [managedhost1] => (item={u'name': u'demouser2', u'pw': u'RedHat'})\r\n\r\nPLAY RECAP *******************************************************************************************************************\r\nmanagedhost1 : ok=2 changed=1 unreachable=0 failed=0<\/pre>\n
Verify that both users (demouser1 and demouser2) were created properly by the playbook. Connect to managedhost1 via SSH as those users.<\/p>\n
[miro@controlnode vault]$ ssh demouser1@managedhost1\r\ndemouser1@managedhost1's password:\r\nThis is the system managedhost1.\r\nToday's date is: 2020-05-06.\r\nOnly use this system with permission.\r\nYou can ask someone@host.example.com for access.\r\n[demouser1@managedhost1 ~]$ logout\r\nConnection to managedhost1 closed.\r\n\r\n[miro@controlnode vault]$ ssh demouser2@managedhost1\r\ndemouser2@managedhost1's password:\r\nPermission denied, please try again.\r\ndemouser2@managedhost1's password:\r\nLast failed login: Mon May 11 18:11:09 CEST 2020 from controlnode.example.com on ssh:notty\r\nThere was 1 failed login attempt since the last successful login.\r\nThis is the system managedhost1.\r\nToday's date is: 2020-05-06.\r\nOnly use this system with permission.\r\nYou can ask someone@host.example.com for access.\r\n[demouser2@managedhost1 ~]$ logout\r\nConnection to managedhost1 closed.<\/pre>\n
 <\/p>\n
Example 3.<\/span><\/p>\n
In this exercise, you will use Ansible Vault to encypt the file containing passwords on the local system and use that in a playbook to create users on the managedhost1 remote system.<\/p>\n
Create an encrypted file named secret2.yml in ~\/ansible\/vault\/. Provide
\na password of redhat for the vault and confirm it. This will open a file in the default editor vim.<\/p>\n
[miro@controlnode vault]$ ansible-vault create vars\/secret2.yml\r\nNew Vault password:\r\nConfirm New Vault password:\r\n\r\n[miro@controlnode vault]$ ansible-vault view vars\/secret2.yml\r\nVault password:\r\nnewusers:\r\n- name: ansibleuser1\r\n  pw: redhat\r\n- name: ansibleuser2\r\n  pw: Re4H1T\r\n<\/pre>\n
Create a playbook which will use the variables defined in the secret2.yml encrypted file. Name the playbook create_users2.yml and create it under the ~\/ansible\/vault\/ directory.\u00a0 Run this playbook as the miro user on the remote
\nmanaged host. Configure the playbook to create the ansibleuser1 and ansibleuser2 users.
\nThe password stored as plain text in the variable, pw, should be converted into password hash using hashing filters password_hash to get SHA512 hashed password and passed as an argument to the user module. For example,<\/p>\n
user:\r\n  name: user1\r\n  password: \"{{ 'example_of_password' | password_hash('sha512') }}\"<\/pre>\n
The content of the create_users.yml should be:<\/p>\n
[miro@controlnode vault]$ cat create_users2.yml\r\n---\r\n- name: create user accounts for all our servers\r\n  hosts: managedhost1\r\n  become: yes\r\n  remote_user: miro\r\n  vars_files:\r\n    - vars\/secret2.yml\r\n  tasks:\r\n    - name: Creating users from secret.yml\r\n      user:\r\n        name: \"{{ item.name }}\"\r\n        password: \"{{ item.pw | password_hash('sha512') }}\"\r\n      with_items: \"{{ newusers }}\"<\/pre>\n
Check the syntax of the create_users.yml using ansible-playbook –syntaxcheck. Use the –ask-vault-pass option to prompt for the vault password set on secret.yml. In case of syntax error, resolve before continuing further.<\/p>\n
[miro@controlnode vault]$ ansible-playbook --syntax-check --ask-vault-pass create_users2.yml\r\nVault password:\r\n\r\nplaybook: create_users2.yml<\/pre>\n
Create a password file to use for the playbook execution instead of asking for a password. The file should be called vault-pass and it should store the redhat vault password as a plain text. Change the permission of the file to 0600.<\/p>\n
[miro@controlnode vault]$ echo 'redhat' > vault-pass2\r\n[miro@controlnode vault]$ chmod 0600 vault-pass2<\/pre>\n
Execute the Ansible playbook, using the vault password file to create the ansibleuser1 and ansibleuser2 users on a remote system using the passwords stored as variables in the secret.yml Ansible Vault encrypted file. Use the vault password file vault-pass.<\/p>\n
[miro@controlnode vault]$ ansible-playbook --vault-password-file=vault-pass2 create_users2.yml\r\n\r\nPLAY [create user accounts for all our servers] ******************************************************************************\r\n\r\nTASK [Gathering Facts] *******************************************************************************************************\r\nok: [managedhost1]\r\n\r\nTASK [Creating users from secret.yml] ****************************************************************************************\r\nchanged: [managedhost1] => (item={u'name': u'ansibleuser1', u'pw': u'redhat'})\r\nchanged: [managedhost1] => (item={u'name': u'ansibleuser2', u'pw': u'Re4H1T'})\r\n\r\nPLAY RECAP *******************************************************************************************************************\r\nmanagedhost1 : ok=2 changed=1 unreachable=0 failed=0<\/pre>\n
Verify that both users were created properly by the playbook by connecting via SSH to managedhost2.<\/p>\n
[miro@controlnode vault]$ ssh ansibleuser1@managedhost1\r\nansibleuser1@managedhost1's password:\r\nThis is the system managedhost1.\r\nToday's date is: 2020-05-06.\r\nOnly use this system with permission.\r\nYou can ask someone@host.example.com for access.\r\n[ansibleuser1@managedhost1 ~]$ logout\r\nConnection to managedhost1 closed.\r\n\r\n[miro@controlnode vault]$ ssh ansibleuser2@managedhost1\r\nansibleuser2@managedhost1's password:\r\nThis is the system managedhost1.\r\nToday's date is: 2020-05-06.\r\nOnly use this system with permission.\r\nYou can ask someone@host.example.com for access.\r\n[ansibleuser2@managedhost1 ~]$ logout\r\nConnection to managedhost1 closed.<\/pre>\n
 <\/p>\n
Example 4.<\/span><\/p>\n
In this lab, you will encrypt and decrypt the YAML file containing variables for LUKS encryption which are sensitive. Use the encrypted file containing variables in a playbook to execute remote tasks on serverb.lab.example.com to create a LUKS encrypted partition on \/dev\/vdb. Edit the encrypted role variable file to add the path of the new 256-bit key file and add tasks to insert this key to an available key slot on the encrypted device \/dev\/vdb on
\nmanagedhostx.<\/p>\n
Use the ansible-galaxy command to create a role named encryptdisk and its
\ndirectory structure.<\/p>\n
[miro@controlnode ansible]$ cd roles\r\n[miro@controlnode roles]$ ansible-galaxy init --offline  encryptdisk\r\n- encryptdisk was created successfully<\/pre>\n
Edit the encryptdisk role variable file, ~\/ansible\/roles\/encryptdisk\/
\nvars\/main.yml, to add the following variables:<\/p>\n
[miro@controlnode roles]$ cat encryptdisk\/vars\/main.yml\r\n---\r\n# vars file for encryptdisk\r\nluks_dev: \/dev\/vdb\r\nluks_name: crypto\r\nluks_pass: Re4H1TAns1BLe<\/pre>\n
Encrypt the role variable file. Use redhat as the the vault password.
\nUse ansible-vault to encrypt the roles\/encryptdisk\/vars\/main.yml role variable
\nfile.<\/p>\n
[miro@controlnode roles]$ ansible-vault encrypt encryptdisk\/vars\/main.yml\r\nNew Vault password:\r\nConfirm New Vault password:\r\nEncryption successful\r\n\r\n[miro@controlnode roles]$ ansible-vault view encryptdisk\/vars\/main.yml\r\nVault password:\r\n---\r\n# vars file for encryptdisk\r\nluks_dev: \/dev\/vdb\r\nluks_name: crypto\r\nluks_pass: Re4H1TAns1BLe<\/pre>\n
Create task to encrypt a block device as specified using the luks_dev variable.<\/p>\n
TASK<\/pre>\n
Example not finished<\/strong><\/em><\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Ansible may need access to sensitive data such as passwords or API keys in order to configure remote servers. Normally, this information might be stored as plain text in inventory variables or other Ansible files. But in that case, any user with access to the Ansible files or a version control system which stores the … <\/p>\n
Continue reading “Ansible Vault”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":3329,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[86],"tags":[],"_links":{"self":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/3328"}],"collection":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/comments?post=3328"}],"version-history":[{"count":32,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/3328\/revisions"}],"predecessor-version":[{"id":3587,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/posts\/3328\/revisions\/3587"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media\/3329"}],"wp:attachment":[{"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/media?parent=3328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/categories?post=3328"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/miro.borodziuk.eu\/index.php\/wp-json\/wp\/v2\/tags?post=3328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}