{"id":295265,"date":"2021-07-09T23:00:00","date_gmt":"2021-07-09T20:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/"},"modified":"2021-07-09T23:00:00","modified_gmt":"2021-07-09T20:00:00","slug":"how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/","title":{"rendered":"#How to Use Ansible Vault to Store Secret Keys \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3c1a909c0cd\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3c1a909c0cd\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/#Introducing_Ansible_Vault\" >Introducing Ansible Vault<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/#File_Encryption\" >File Encryption<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/#Variable_Encryption\" >Variable Encryption<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/#Using_Ansible_Vault_in_Practice\" >Using Ansible Vault in Practice<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/#Unprompted_Decryption\" >Unprompted Decryption<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/#Multiple_Vaults\" >Multiple Vaults<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/#Rekeying\" >Rekeying<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/#Best_Practices\" >Best Practices<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-use-ansible-vault-to-store-secret-keys-cloudsavvy-it\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Use Ansible Vault to Store Secret Keys \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-4390\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/02\/baa56d23.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1400\" height=\"584\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>With most automation, credentials are needed to authenticate and use secure resources. What has always been a challenge is how best to store those credentials securely. <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ansible.com\/\">Ansible<\/a> is an automation system that provides software provisioning, configuration management, and <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication deployments.<\/p>\n<p>As with any automation system, Ansible needs a secure way to store secrets. In the case of Ansible, that system is called <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/docs.ansible.com\/ansible\/latest\/user_guide\/vault.html\">Ansible Vault<\/a>. Ansible Vault provides a cross-platform solution to securely storing credentials.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Introducing_Ansible_Vault\"><\/span>Introducing Ansible Vault<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Ansible Vault can be used to encrypt any file, or variables themselves, from within a playbook. By default AES is used which is a shared-secret based encryption. Both file and variable encryption methods have their benefits and drawbacks.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"File_Encryption\"><\/span>File Encryption<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>To create a new encrypted file named <code>secrets.yml<\/code>, simply use the following <code>ansible-vault<\/code> command.<\/p>\n<pre><code>ansible-vault create secrets.yml&#13;\n<\/code><\/pre>\n<p>After prompting for a password, the <code>ansible-vault<\/code> command will launch the default system file editor, which will result in an encrypted file upon saving.<\/p>\n<p>Similarly, to encrypt a previously unencrypted file, use the following <code>ansible-vault<\/code> command. Note that this uses the <code>encrypt<\/code> parameter rather than the <code>create<\/code> parameter.<\/p>\n<pre><code>ansible-vault encrypt secrets.yml&#13;\n<\/code><\/pre>\n<p>The downside to using file encryption is readability. If you open the file then you will find that without decryption, it\u2019s impossible to decipher the contents.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Variable_Encryption\"><\/span>Variable Encryption<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Within a playbook, it is possible to use an encrypted variable by prefacing the encrypted data with the <code>!vault<\/code> tag. Running the <code>encrypt_string<\/code> argument of the <code>ansible_vault<\/code> command will result in an encrypted string that you can use within your playbooks.<\/p>\n<pre><code>ansible-vault encrypt_string 'secret_data' --name 'my_secret'&#13;\n<\/code><\/pre>\n<p>After prompting you for a password, you will get the following encrypted string.<\/p>\n<pre><code>my_secret: !vault |&#13;\n          $ANSIBLE_VAULT;1.1;AES256&#13;\n          37636561366636643464376336303466613062633537323632306566653533383833366462366662&#13;\n          6565353063303065303831323539656138653863353230620a653638643639333133306331336365&#13;\n          62373737623337616130386137373461306535383538373162316263386165376131623631323434&#13;\n          3866363862363335620a376466656164383032633338306162326639643635663936623939666238&#13;\n          3161&#13;\n<\/code><\/pre>\n<p>Variable encryption is great for readability, but the ability to use command line rekeying is sacrificed when using this method.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Using_Ansible_Vault_in_Practice\"><\/span>Using Ansible Vault in Practice<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>You may realize that using Ansible Vault in production is a challenge. To effectively use Ansible Vault, the following techniques make this process easier.<\/p>\n<ul>\n<li>Unprompted Decryption<\/li>\n<li>Multiple Vaults<\/li>\n<li>Rekeying<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"Unprompted_Decryption\"><\/span>Unprompted Decryption<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>One option to transparently decrypting a file or variable while using Ansible is to store the password within a protected and un-versioned password file. To reference this stored password, simply pass in the file location using the <code>vault-password-file<\/code> parameter.<\/p>\n<pre><code>ansible-playbook --vault-password-file \/path\/vault-password-file secrets.yml&#13;\n<\/code><\/pre>\n<p>This will decrypt any included encrypted files or variables using the included password.<\/p>\n<p>It is very important not to commit your plaintext password file into your version control system. Similarly, protect this file to only the user or group that needs access to the stored password on the file system using access control lists (ACL\u2019s).<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Multiple_Vaults\"><\/span>Multiple Vaults<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Although it\u2019s convenient to have a single vault with all of the encrypted secrets, a better security practice is to separate the secure credentials into separate relevant vaults. An example of this would be separating a production and development environment. Thankfully, Ansible Vault allows us to create multiple vaults and references which vault the encrypted data is coming from using a label.<\/p>\n<pre><code>ansible-vault create --vault-id prod@prompt prod-secrets.yml&#13;\n<\/code><\/pre>\n<p>The above code will create a <code>prod<\/code> vault and prompt for your password at runtime (as noted by the <code>@prompt<\/code> string). If you already have a password file that you would like to use, simply pass in the path to the file.<\/p>\n<pre><code>ansible-vault create --vault-id prod@\/path\/prod-vault-password-file prod-secrets.yml&#13;\n<\/code><\/pre>\n<p>Let\u2019s say we want to encrypt the same <code>my_secret<\/code> variable, but this time store that in our <code>prod<\/code> vault. Just as before, using <code>encrypt_string<\/code> but with the relevant <code>vault-id<\/code> allows storing of the secret in the specified location.<\/p>\n<pre><code>ansible-vault encrypt_string --vault-id prod@\/path\/prod-vault-password-file 'secret_data' --name 'my_secret'&#13;\n<\/code><\/pre>\n<p>You will notice that after the <code>AES256<\/code> string, a new piece of text, <code>prod<\/code> is shown. This indicates the vault that the encrypted text is located in.<\/p>\n<pre><code>my_secret: !vault |&#13;\n          $ANSIBLE_VAULT;1.1;AES256;prod&#13;\n          37636561366636643464376336303466613062633537323632306566653533383833366462366662&#13;\n          6565353063303065303831323539656138653863353230620a653638643639333133306331336365&#13;\n          62373737623337616130386137373461306535383538373162316263386165376131623631323434&#13;\n          3866363862363335620a376466656164383032633338306162326639643635663936623939666238&#13;\n          3161&#13;\n<\/code><\/pre>\n<p>What if you want to include multiple vaults in a single playbook? You can easily pass in multiple <code>vault-id<\/code> declarations on an <code>ansible-playbook<\/code> command line.<\/p>\n<pre><code>ansible-playbook --vault-id dev@\/path\/dev-vault-password-file --vault-id prod@\/path\/prod-vault-password-file site.yml&#13;\n<\/code><\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Rekeying\"><\/span>Rekeying<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Finally, it\u2019s important to regularly cycle your passwords. For files that are encrypted, you can use the command line below. Passing in the <code>new-vault-id<\/code> parameter makes it easy to change the password that the secrets are encrypted with.<\/p>\n<pre><code>ansible-vault rekey --vault-id prod@\/path\/prod-vault-password-file-old --new-vault-id prod@\/path\/prod-vault-password-file-new site.yml&#13;\n<\/code><\/pre>\n<p>As noted above, command line rekeying does not work for encrypted variables. In this case, you will need to individually re-encrypt the strings and replace them in a given playbook.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Best_Practices\"><\/span>Best Practices<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Security is difficult, especially when it comes to using secrets within automation systems. With that in mind, below are several best practices to use when utilizing Ansible Vault. Though we have covered some of these previously, it is prudent to reiterate those practices.<\/p>\n<ul>\n<li><strong>ACL protected and unversioned password files<\/strong>Password files mustn\u2019t be stored within version control systems, such as GIT. Additionally, make sure that only the appropriate users can access the password file.<\/li>\n<li><strong>Separate vaults<\/strong>Normally, many different environments are in use. Therefore, it is best to separate the required credentials into the appropriate vaults.<\/li>\n<li><strong>Regular file and variable password rekeying<\/strong>In the case of password reuse or leaks, it is best to regularly rekey the passwords in use to limit exposure.<\/li>\n<\/ul>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As with any automation system, it is critically important that secrets are properly protected and controlled. With Ansible Vault, that process is made easy and flexible. Using the best practices outlined above, storing and using secrets within Ansible is safe and secure.<\/p>\n<p>To extend Ansible Vault even further and take this process to the next level, you can use scripts that integrate into password management solutions. As you can see, Ansible Vault is an excellent way to use secretes within Ansible playbooks.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/3902\/how-to-use-ansible-vault-to-store-secret-keys\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Use Ansible Vault to Store Secret Keys \u2013 CloudSavvy IT&#8221; With most automation, credentials are needed to authenticate and use secure resources. What has always been a challenge is how best to store those credentials securely. Ansible is an automation system that provides software provisioning, configuration management, and application deployments. As with any&#8230;<\/p>\n","protected":false},"author":1,"featured_media":295266,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/02\/baa56d23.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-295265","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/295265","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=295265"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/295265\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/295266"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=295265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=295265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=295265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}