How to use ansible-vault to secure sensitive data
Test Environment
Ansible Controller – Fedora 32 with ansible installed
Ansible Node – Fedora 32 installed
In every infrastructure there will be passwords, private keys, keystores, tokens, secrets and other sensitive and confidential data which we need to secure. There are variours tools available which help in achieving this task like Password Privacy and Vault are a few tools to name.
Ansible vault features –
– Ansible vault helps in securing confidential information by encrypting and decrypting data
– Ansible vault can be used to encrypt variables and files
– The encryption and decryption is carried out using one or more passwords which are called vault passwords
– Multiple vault passwords can be used and differentiated using the vault ID’s
– Encryption with Ansible vault protect only data at rest
– vault ID’s add a label to the encrypted content
– vault passwords can be stored in files or in a third-party tools such as system keyring or a secret manager
Here in this article we will see how we can use ansible-vault to encrypt plain text data and other sensitive information and use them in the application repostiory.
If you are interested in watching the video. Here is the youtube vidoe on the same step by step procedure outlined below.
Procedure –
Step1: Create an Encrypted variable
In this step we are going to create a vault password file which we will use to encrypt the string using the ansible-vault as shown below. The string that we are trying to encrypt in ‘db_password’ and its reference variable name is ‘dbpass’
| Create an Encrypted variable |
|---|
[admin@ansicontrol ansiblevaultexample]$ cat vaultpass
test@1234
[admin@ansicontrol ansiblevaultexample]$ ansible-vault encrypt_string --vault-password-file vaultpass 'db_password' --name 'dbpass'
dbpass: !vault |
$ANSIBLE_VAULT;1.1;AES256
66666263623063376161366132643236316334303139353235633836653830343466386464663365
3232613032373166613165376666386632373530313865370a353765386161633863633831366334
64343235333064356263663164373866363236363630363936663837373934333361646531653666
3766386630333361610a346332373238643834313634656532343562633362376233313864366633
6635
Encryption successful
|
Step2: Create an Encrypted variable using the vault-id
This is the same step as step1 but we have encrypted the string using the ‘vault-id’ option which help in providing the reference label along with the password file for our encrypted data.
| Create an Encrypted variable using vault-id |
|---|
[admin@ansicontrol ansiblevaultexample]$ cat vaultpass
test@1234
[admin@ansicontrol ansiblevaultexample]$ ansible-vault encrypt_string --vault-id proddb@vaultpass 'db_password' --name 'dbpass'
dbpass: !vault |
$ANSIBLE_VAULT;1.2;AES256;proddb
31333534613531356265323134643533653262316635666563373039366366336631333164373036
3137363935356363366432303233373635626133333964320a386533633461393632333665633536
62313066623361316431316438326130616639626332393466336135653534323934393631373437
3037613237656432350a663564326130383733326231343636356638373637323866633339386631
3631
Encryption successful
|
Step3: Store the encrypted variable content in a vars.yaml file
Lets store the encrypted varilable into a varialbes file called vars.yaml
| Store the encrypted content into vars.yaml file |
|---|
[admin@ansicontrol ansiblevaultexample]$ cat vars.yaml
dbpass: !vault |
$ANSIBLE_VAULT;1.2;AES256;proddb
36376132393730303164616462306663393965656662343536643138656666313762356330386662
6336623035313962386264396666326663336563666162380a336530396537386361323161653861
36393630656337326236313964623735393134373839386361633938663964363863333431346633
3566303636336638630a373865373864323066646138303661616430386637396338316432343630
6132
|
Step4: Decrypt the variable content using the ansible tool
Lets decrypt the variable encrypted data using the ad-hoc command with debug module as shown below
| Decrypt the variable using the ad-hoc comman with debug module |
|---|
[admin@ansicontrol ansiblevaultexample]$ ansible localhost -m debug -a var="dbpass" -e "@vars.yaml" --vault-id proddb@vaultpass
localhost | SUCCESS => {
"dbpass": "db_password"
}
|
Step5: Decrypt the variable content within a playbook using vars_file
Here in this step we are trying to reference the variable file encrypted content in the playbook and decrypt it.
| Decrypt the variable content using the playbook with reference to variables file |
|---|
[admin@ansicontrol ansiblevaultexample]$ cat vaultvarexample.yaml
---
- hosts: stack
remote_user: admin
vars_files:
- vars.yaml
tasks:
- name: Decrypt the dbpass
debug:
var: dbpass
[admin@ansicontrol ansiblevaultexample]$ ansible-playbook vaultvarexample.yaml --vault-id proddb@vaultpass
PLAY [stack] *****************************************************************************************************************
TASK [Gathering Facts] *******************************************************************************************************
ok: [192.168.47.130]
TASK [Decrypt the dbpass] ****************************************************************************************************
ok: [192.168.47.130] => {
"dbpass": "db_password"
}
PLAY RECAP *******************************************************************************************************************
192.168.47.130 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
|
Step6: Decrypt the variable content within a playbook using vars
| Decrypt the variable content using the playbook with variable encrypted data |
|---|
[admin@ansicontrol ansiblevaultexample]$ cat vaultvarexample2.yaml
---
- hosts: stack
remote_user: admin
vars:
dbpass: !vault |
$ANSIBLE_VAULT;1.2;AES256;proddb
36376132393730303164616462306663393965656662343536643138656666313762356330386662
6336623035313962386264396666326663336563666162380a336530396537386361323161653861
36393630656337326236313964623735393134373839386361633938663964363863333431346633
3566303636336638630a373865373864323066646138303661616430386637396338316432343630
6132
tasks:
- name: Decrypt the dbpass
debug:
var: dbpass
[admin@ansicontrol ansiblevaultexample]$ ansible-playbook vaultvarexample2.yaml --vault-id proddb@vaultpass
PLAY [stack] *****************************************************************************************************************
TASK [Gathering Facts] *******************************************************************************************************
ok: [192.168.47.130]
TASK [Decrypt the dbpass] ****************************************************************************************************
ok: [192.168.47.130] => {
"dbpass": "db_password"
}
PLAY RECAP *******************************************************************************************************************
192.168.47.130 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
|
Hope you enjoyed reading this article. Thank you..
Leave a Reply
You must be logged in to post a comment.