Using Ansible Vault to Protect Your SecretsDaniel Davis

• Daniel Davis• Software Developer for 8 years• Fun Fact:

– I just completed my first Half Ironman three weeks ago!

Who Am I?

3

4

anyways…

Really though, who are you?

• Came from Java world• Python developer for 2 years• DevOps

– Lots of work with automation and quality

• Doing more work with Open Source

In the last 10 years….

• Infrastructure as Code– Committed to GitHub

• Accessible to others– Use it on their own servers

• Auditable– Can see the history of changes

A Natural Fit!

8

The darker side…

9

DevOps!!!

10

DevOops!!!

11

• That moment of shame when you commit something you shouldn’t…– Like your private key or personal access

tokens…

DevOops

*Not actually a hacker, just a ninja with a computer

• Can’t commit some types of data– Passwords– API Keys– Private keys

• But we need it to provision servers!• How can we be both Open Source AND

have Infrastructure as Code?

The Security Paradox

1 minute intro to Ansible

15

Inventory File

ProdStagingDev

Playbook

Apache

App Code

Elastic Search

Postgres

App CodeTask 1

Task 2

Web Search

Database

Group Vars

Dev

Prod

PG_ROOT_USER

PG_ROOT_PASSWORD

PG_ROOT_PASSWORD

…

PG_ROOT_USER

…

Ansible-Vault

• Comes as part of Ansible• Install via:

– pip– homebrew– apt-get– yum

Installing Ansible Vault

How do we protect our data?

• Encrypt variable files w/ ansible-vault– AES-256 encryption

• Ansible will decrypt at run-time• Safely store encrypted values in GitHub!

• ansible-vault encrypt [filename]

How do I encrypt?

21

• ansible-playbook –i [inventory-file] [playbook-name] --ask-vault-pass

Running w/ encrypted data

22

• ansible-vault decrypt [filename]• ansible-vault edit [filename]• ansible-vault rekey [filename]

Other Commands

23

• Pretty much anything…– Variable files (group_vars, host_vars)– Inventory files– Templates– Tasks– Playbooks

What can I encrypt?

24

The main limit is your imagination!!!

Having said that…

25

• Counter-intuitive:– More developers need access to the key

• Lose commit history

• Best Practice: Only encrypt your sensitive information

DON’T ENCRYPT EVERYTHING!

But how???

• Ansible feature: variable files may be either a file OR directory

Splitting up group_vars

27

Before

28

After

29

Watch out for variable fragmentation!

30

Best Practice: References

31

So that’s cool, but…

32

• Password prompts are annoying– Not good for automation

• Ansible-vault offers a “password file” option– Not much better, insecure

Making it better

33

• “Password file” can be executable– Captures standard out as password

• Write a simple script:

Password Script

34

Now we’re ready to use CI!

35

• Jenkins: Popular CI tool• Option to “Inject passwords” into a job

– Output is masked– Securely store your vault password

Utilizing Jenkins

36

• Developers don’t have access to deploy without vault password

• Jenkins manages the password– Only have to change it in one place if we

rekey the file

Deployments more secure

37

Extra Thoughts on Security

38

• Technically could still be compromised– Anyone can clone, attempt to brute force– Try using a GitHub private repo

• GitHub employees could still compromise your files!– Hosting in the cloud is still a concern– Try using GitHub enterprise

Encrypted files in Github

40

• http://docs.ansible.com/playbooks_vault.html

Links

41

Questions?

42