All geek questions in one place

How to automate decryption of decrypted storage?

I want to automate decryption of an existing repository and not specify the repository location or password from the command line.

Basically, I'm looking for a solution that will work the way ~/.netrc works. When you put the credentials, tools (like curl, wget, ...) will know to load them.

If you do not, it will be done.

This is very important because I need to be able to automate the execution of these downloadable players, so requesting a password is clearly not an option.

In addition, I do not want to add the --vault-password-file option for each piece. Any ideas?

+5
source share
3 answers

As with inventory, if vault-password-file has an executable bit, Ansible will run it and use stdout as a password .

This allows you to write a script that wraps the password in PGP encryption, is on the S3 list with limited access, uses AWS KMS, or something that catches your mind.

+5
source

You can define vault_password_file in ansible.cfg .

But I do not see in it too much value. Looking at the .netrc man page, I see that the credentials are in the .netrc file and also written in clear text. In addition, he offers:

This file is located in the user's home directory on the computer initiating the file transfer. Its permissions must be configured to restrict read access to groups and others.

For .netrc, this makes sense, because the goal is to provide access to other systems. But your goal is to provide access to the file.

Although it doesn’t make much sense to encrypt a file, then just put the decryption key inside another file on the same host that is protected only by chmod . You could simply protect your secrets in Ansible with chmod in the first place. This has the same level of security and avoids some overhead.

+4
source

There are several ways:

  • As suggested, save the password file in a lock (for example, an Azure container or any other place accessible using ssh keys). Run it at run time and use the -vault-password-file option. You can delete the file immediately after that.

  • If you use an automation server such as Jenkins, you can save your password as a Jenkins Credential. Get the password on the fly and put it in a text file. Again, use the -vault-password-file option. I wrote a small entry here Stroing Vault key in jenkins

0
source

Source: https://habr.com/ru/post/1243240/

More articles:


All Articles