utility repo which contains scripts to use a gpg-encrypted vault in ansible, meant to be included as a submodule in a playbook
Go to file
2020-06-07 17:32:47 +02:00
README.md update documentation 2020-06-07 17:32:47 +02:00
vault.sh ansible-gpg-vault: make script work in a submodule env 2020-06-07 17:00:24 +02:00

ansible-gpg-vault

Purpose

This is meant to be used as a git submodule, which can easily be included in repos containing ansible vaults.

It generates a strong passphrase and encrypts it using GPG so only authorized people may open/edit the vaults while still allowing the whole playbook to be world-readable.

Setup

In your project, add this as a submodule. Let's assume we are in awesome-project/:

$ pwd
awesome-project/
$ git submodule add $this_repo
Cloning into 'awesome-project/ansible-gpg-vault'...
Unpacking objects: 100%, done.
$ ./ansible-gpg-vault/vault.sh init
Specify the inital user who may access the vault
GPG user id: $yourUserIdHere
$ 

Now make sure you instruct ansible to use the vault script when looking for the vault passphrase by editing ansible.cfg to contain:

[defaults]

vault_password_file = ansible-gpg-vault/vault.sh

And then you should be done already! Time to create your first vault with the normal ansible way:

$ ansible-vault create host_vars/secrets.yml
< $EDITOR for host_vars/secrets.yml opens >

Usage

Adding users

You may add users by calling ansible-gpg-vault/vault.sh add (interactive) or ansible-gpg-vault/vault.sh add $NEWUSER (non-interactive).

Always ensure that gpg2 knows the user-id on the machine, as key downloading from a keyserver is not implemented yet.

Reencrypting

After a user is added, the file containing ansibles vault passhprase is automatically decrypted and encrypted again. you can trigger this manually using ansible-gpg-vault/vault.sh reencrypt.

Deleting users

Deleting is not yet implemented, you can remove users manually by removing their id from ansible-gpg-vault-store/gpg_ids.list and then calling ansible-gpg-vault/vault.sh reencrypt to reencrypt the passphrase.

Security notice: when a malicious user has decrypted and saved the passphrase while they had authorized access, they do still have the passphrase and deleting/reencrypting does not protect against this attack.

Storage

The passphrase and list of gpg user-ids are stored in ansible-gpg-vault-store/ in the top level of the repository, as to not dirty the tree of the submodule and allowing to commit the changes in the repo they are meant to be in.