How to use ansible-vault to secure sensitive data

How to use ansible-vault to secure sensitive data

ansible_vault.jpg

Test Environment

Ansible Controller – Fedora 32 with ansible installed
Ansible Node – Fedora 32 installed

In every infrastructure there will be passwords, private keys, keystores, tokens, secrets and other sensitive and confidential data which we need to secure. There are variours tools available which help in achieving this task like Password Privacy and Vault are a few tools to name.

Ansible vault features –

– Ansible vault helps in securing confidential information by encrypting and decrypting data
– Ansible vault can be used to encrypt variables and files
– The encryption and decryption is carried out using one or more passwords which are called vault passwords
– Multiple vault passwords can be used and differentiated using the vault ID’s
– Encryption with Ansible vault protect only data at rest
– vault ID’s add a label to the encrypted content
– vault passwords can be stored in files or in a third-party tools such as system keyring or a secret manager

Here in this article we will see how we can use ansible-vault to encrypt plain text data and other sensitive information and use them in the application repostiory.

If you are interested in watching the video. Here is the youtube vidoe on the same step by step procedure outlined below.

Procedure –

Step1: Create an Encrypted variable

In this step we are going to create a vault password file which we will use to encrypt the string using the ansible-vault as shown below. The string that we are trying to encrypt in ‘db_password’ and its reference variable name is ‘dbpass’

Create an Encrypted variable
[admin@ansicontrol ansiblevaultexample]$ cat vaultpass
test@1234

[admin@ansicontrol ansiblevaultexample]$ ansible-vault encrypt_string --vault-password-file vaultpass 'db_password' --name 'dbpass'
dbpass: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66666263623063376161366132643236316334303139353235633836653830343466386464663365
          3232613032373166613165376666386632373530313865370a353765386161633863633831366334
          64343235333064356263663164373866363236363630363936663837373934333361646531653666
          3766386630333361610a346332373238643834313634656532343562633362376233313864366633
          6635
Encryption successful

Step2: Create an Encrypted variable using the vault-id

This is the same step as step1 but we have encrypted the string using the ‘vault-id’ option which help in providing the reference label along with the password file for our encrypted data.

Create an Encrypted variable using vault-id
[admin@ansicontrol ansiblevaultexample]$ cat vaultpass
test@1234

[admin@ansicontrol ansiblevaultexample]$ ansible-vault encrypt_string --vault-id proddb@vaultpass 'db_password' --name 'dbpass'
dbpass: !vault |
          $ANSIBLE_VAULT;1.2;AES256;proddb
          31333534613531356265323134643533653262316635666563373039366366336631333164373036
          3137363935356363366432303233373635626133333964320a386533633461393632333665633536
          62313066623361316431316438326130616639626332393466336135653534323934393631373437
          3037613237656432350a663564326130383733326231343636356638373637323866633339386631
          3631
Encryption successful

Step3: Store the encrypted variable content in a vars.yaml file

Lets store the encrypted varilable into a varialbes file called vars.yaml

Store the encrypted content into vars.yaml file
[admin@ansicontrol ansiblevaultexample]$ cat vars.yaml
dbpass: !vault |
          $ANSIBLE_VAULT;1.2;AES256;proddb
          36376132393730303164616462306663393965656662343536643138656666313762356330386662
          6336623035313962386264396666326663336563666162380a336530396537386361323161653861
          36393630656337326236313964623735393134373839386361633938663964363863333431346633
          3566303636336638630a373865373864323066646138303661616430386637396338316432343630
          6132

Step4: Decrypt the variable content using the ansible tool

Lets decrypt the variable encrypted data using the ad-hoc command with debug module as shown below

Decrypt the variable using the ad-hoc comman with debug module
[admin@ansicontrol ansiblevaultexample]$ ansible localhost -m debug -a var="dbpass" -e "@vars.yaml" --vault-id proddb@vaultpass
localhost | SUCCESS => {
    "dbpass": "db_password"
}

Step5: Decrypt the variable content within a playbook using vars_file

Here in this step we are trying to reference the variable file encrypted content in the playbook and decrypt it.

Decrypt the variable content using the playbook with reference to variables file
[admin@ansicontrol ansiblevaultexample]$ cat vaultvarexample.yaml
---
- hosts: stack
  remote_user: admin
  vars_files:
    - vars.yaml
  tasks:
    - name: Decrypt the dbpass
      debug:
        var: dbpass

[admin@ansicontrol ansiblevaultexample]$ ansible-playbook vaultvarexample.yaml --vault-id proddb@vaultpass

PLAY [stack] *****************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************
ok: [192.168.47.130]

TASK [Decrypt the dbpass] ****************************************************************************************************
ok: [192.168.47.130] => {
    "dbpass": "db_password"
}

PLAY RECAP *******************************************************************************************************************
192.168.47.130             : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Step6: Decrypt the variable content within a playbook using vars

Decrypt the variable content using the playbook with variable encrypted data
[admin@ansicontrol ansiblevaultexample]$ cat vaultvarexample2.yaml
---
- hosts: stack
  remote_user: admin
  vars:
    dbpass: !vault |
          $ANSIBLE_VAULT;1.2;AES256;proddb
          36376132393730303164616462306663393965656662343536643138656666313762356330386662
          6336623035313962386264396666326663336563666162380a336530396537386361323161653861
          36393630656337326236313964623735393134373839386361633938663964363863333431346633
          3566303636336638630a373865373864323066646138303661616430386637396338316432343630
          6132
  tasks:
    - name: Decrypt the dbpass
      debug:
        var: dbpass

[admin@ansicontrol ansiblevaultexample]$ ansible-playbook vaultvarexample2.yaml --vault-id proddb@vaultpass

PLAY [stack] *****************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************
ok: [192.168.47.130]

TASK [Decrypt the dbpass] ****************************************************************************************************
ok: [192.168.47.130] => {
    "dbpass": "db_password"
}

PLAY RECAP *******************************************************************************************************************
192.168.47.130             : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Hope you enjoyed reading this article. Thank you..