Ansible Vault
"""""""""""""

How to store sensitive data
===========================
* keeping sensitive data such as passwords or keys in encrypted files
* ``ansible-vault`` is used to manage encrypted files
* use the command line flag ``--ask-vault-pass`` with ``ansible`` and ``ansible-playbook``
* you can define a file with your password with ``–-vault-password-file``

.. hint::

    You can specify the location of a password file in the ``ansible.cfg``

What Can Be Encrypted
---------------------
* any structured data file used by Ansible can be encrypted

    * group_vars
    * host_vars
    * inventory variables
    * include_vars
    * vars_files
    * role variables / default

* Ansible tasks, handlers, etc. are also data, so these can be encrypted with vault as well


How to use ansible-vault
------------------------

.. code-block:: bash

    # create a new vault group variable file
    ansible-vault create vault.yml

    # decrypt a vault file
    ansible-vault decrypt vault.yml

    # edit a vault file
    ansible-vault edit vault.yml

    # encrypt a file
    ansible-vault encrypt vault.yml

    # view an encrypted vault file
    ansible-vault view vault.yml

    # change the password for a vault file
    ansible-vault rekey vault.yml


To run playbook with encrypted files, use the option ``--ask-vault-pass``.

.. code-block:: bash
    
    # run a playbook and ask for the vault password
    ansible-playbook play.yml --ask-vault-pass

.. hint::

    Speed Up Vault Operations with the cryptography package.

.. hint::

    Set ”no_log: true” per task, to ensure the content is not logged!


Encrypt a string
----------------

* it's also possible to only encrypt a single string and not the whole file

.. code-block:: bash

    ansible-vault encrypt_string
    New Vault password:
    Confirm New Vault password:
    Reading plaintext input from stdin. (ctrl-d to end input)
    mypassword
    !vault |
          $ANSIBLE_VAULT;1.1;AES256
          33353164326334623734376262663532643238653232623666383035336134626137363233646661
          6635353632633765333436333137393636636131323938330a656464643666386666303338316138
          35373864373865343830663363663066346435616434356266383265613964623563373063656135
          6566396333663537370a396338613738613139343631323266393339346338623935323763306462
          6532
    Encryption successful


Layer of indirection
--------------------
* For every sensitive variable, you should create a prefixed duplicate that goes in an encrypted file. See `Ansible Docs <http://docs.ansible.com/ansible/playbooks_best_practices.html#variables-and-vaults>`_
* if you search a variable and use ``grep`` or other tools, you will find the variable definition

.. code-block:: bash

    # file: group_vars/web/vars.yml
    ---
    web_password: '{{ vault_web_password }}'

    # file: group_vars/web/vault.yml
    ---
    vault_web_password: 'myStrongPassword'

    # encrypt the vault.yml
    ansible-vault encrypt vault.yml


Links
-----
* http://docs.ansible.com/ansible/playbooks_vault.html
* http://docs.ansible.com/ansible/playbooks_best_practices.html#variables-and-vaults
* https://blog.confirm.ch/deploying-ssl-private-keys-with-ansible
* `Use gpg-agent for vault password <https://benincosa.com/?p=3235>`_