Using ansible vault to protect your secrets
-
Upload
excella-consulting -
Category
Technology
-
view
387 -
download
2
Transcript of Using ansible vault to protect your secrets
• Daniel Davis• Software Developer for 8 years• Fun Fact:
– I just completed my first Half Ironman three weeks ago!
Who Am I?
Really though, who are you?
• Came from Java world• Python developer for 2 years• DevOps
– Lots of work with automation and quality
• Doing more work with Open Source
• Infrastructure as Code– Committed to GitHub
• Accessible to others– Use it on their own servers
• Auditable– Can see the history of changes
A Natural Fit!
8
• That moment of shame when you commit something you shouldn’t…– Like your private key or personal access
tokens…
DevOops
• Can’t commit some types of data– Passwords– API Keys– Private keys
• But we need it to provision servers!• How can we be both Open Source AND
have Infrastructure as Code?
The Security Paradox
Inventory File
ProdStagingDev
Playbook
Apache
App Code
Elastic Search
Postgres
App CodeTask 1
Task 2
Web Search
Database
How do we protect our data?
• Encrypt variable files w/ ansible-vault– AES-256 encryption
• Ansible will decrypt at run-time• Safely store encrypted values in GitHub!
• ansible-playbook –i [inventory-file] [playbook-name] --ask-vault-pass
Running w/ encrypted data
22
• ansible-vault decrypt [filename]• ansible-vault edit [filename]• ansible-vault rekey [filename]
Other Commands
23
• Pretty much anything…– Variable files (group_vars, host_vars)– Inventory files– Templates– Tasks– Playbooks
What can I encrypt?
24
The main limit is your imagination!!!
• Counter-intuitive:– More developers need access to the key
• Lose commit history
• Best Practice: Only encrypt your sensitive information
DON’T ENCRYPT EVERYTHING!
But how???
• Password prompts are annoying– Not good for automation
• Ansible-vault offers a “password file” option– Not much better, insecure
Making it better
33
• “Password file” can be executable– Captures standard out as password
• Write a simple script:
Password Script
34
• Jenkins: Popular CI tool• Option to “Inject passwords” into a job
– Output is masked– Securely store your vault password
Utilizing Jenkins
36
• Developers don’t have access to deploy without vault password
• Jenkins manages the password– Only have to change it in one place if we
rekey the file
Deployments more secure
37
• Technically could still be compromised– Anyone can clone, attempt to brute force– Try using a GitHub private repo
• GitHub employees could still compromise your files!– Hosting in the cloud is still a concern– Try using GitHub enterprise
Encrypted files in Github
• http://docs.ansible.com/playbooks_vault.html
Links
41