utility repo which contains scripts to use a gpg-encrypted vault in ansible, meant to be included as a submodule in a playbook
Go to file
2020-06-07 17:24:28 +02:00
README.md add documentation 2020-06-07 17:24:28 +02:00
vault.sh ansible-gpg-vault: make script work in a submodule env 2020-06-07 17:00:24 +02:00

ansible-gpg-vault

Purpose

This is meant to be used as a git submodule, which can easily be included in repos containing ansible vaults.

It generates a strong passphrase and encrypts it using GPG so only authorized people may open/edit the vaults while still allowing the whole playbook to be world-readable.

Setup

In your project, add this as a submodule. Let's assume we are in awesome-project/:

$ pwd
awesome-project/
$ git submodule add $this_repo
Cloning into 'awesome-project/ansible-gpg-vault'...
Unpacking objects: 100%, done.
$ ./ansible-gpg-vault/vault.sh init
Specify the inital user who may access the vault
GPG user id: $yourUserIdHere
$ 

Now make sure you instruct ansible to use the vault script when looking for the vault passphrase by editing ansible.cfg to contain:

[defaults]

vault_password_file = ansible-gpg-vault/vault.sh

And then you should be done already! Time to create your first vault with the normal ansible way:

$ ansible-vault create host_vars/secrets.yml
< $EDITOR opens >

Usage

Adding users

You may add users by calling ansible-gpg-vault/vault.sh add (interactive) or ansible-gpg-vault/vault.sh add $NEWUSER (non-interactive).

Always ensure that gpg2 knows the user-id on the machine, as key downloading from a keyserver is not implemented yet.

Reencrypting

After a user is added, the file containing ansibles vault passhprase is automatically decrypted and encrypted again. you can trigger this manually using ansible-gpg-vault/vault.sh reencrypt.

Deleting users

Deleting is not yet implemented, you can remove users manually by removing their id from ansible-gpg-vault-store/gpg_ids.list and then calling ansible-gpg-vault/vault.sh reencrypt to reencrypt the passphrase.

Security notice: when a malicious user has decrypted and saved the passphrase while they had authorized access, they do still have the passphrase and deleting/reencrypting does not protect against this attack.

Storage

The passphrase and list of gpg user-ids are stored in ansible-gpg-vault-store/ in the top level of the repository, as to not dirty the tree of the submodule and allowing to commit the changes in the repo they are meant to be in.

Storage

The passphrase and list of gpg user-ids are stored in ansible-gpg-vault-store/ in the top level of the repository, as to not dirty the tree of the submodule and allowing to commit the changes in the repo they are meant to be in.