On June 24th, Excella's Dan Davis presented at Django District.

1. Using Ansible Vault to Protect
Your Secrets
Daniel Davis

2. • Daniel Davis
• Software Developer for 8 years
• Fun Fact:
– I just completed my first Half Ironman three
weeks ago!
Who Am I?

3. 3

4. 4

5. anyways…

6. Really though, who are you?
• Came from Java world
• Python developer for 2 years
• DevOps
– Lots of work with automation and quality
• Doing more work with Open Source

7. In the last 10 years….

8. • Infrastructure as Code
– Committed to GitHub
• Accessible to others
– Use it on their own servers
• Auditable
– Can see the history of changes
A Natural Fit!
8

9. The darker side…
9

10. DevOps!!!
10

11. DevOops!!!
11

12. • That moment of shame when you commit
something you shouldn’t…
– Like your private key or personal access
tokens…
DevOops

13. *Not actually a hacker, just a ninja with a computer

14. • Can’t commit some types of data
– Passwords
– API Keys
– Private keys
• But we need it to provision servers!
• How can we be both Open Source AND
have Infrastructure as Code?
The Security Paradox

15. 1 minute intro to Ansible
15

16. Inventory File
ProdStagingDev
Playbook
Apache
App Code
Elastic Search
Postgres
App Code
Task 1
Task 2
Web Search
Database

17. Group Vars
Dev
Prod
PG_ROOT_USER
PG_ROOT_PASSWORD
PG_ROOT_PASSWORD
…
PG_ROOT_USER
…

18. Ansible-Vault

19. • Comes as part of Ansible
• Install via:
– pip
– homebrew
– apt-get
– yum
Installing Ansible Vault

20. How do we protect our data?
• Encrypt variable files w/ ansible-vault
– AES-256 encryption
• Ansible will decrypt at run-time
• Safely store encrypted values in GitHub!

21. • ansible-vault encrypt [filename]
How do I encrypt?
21

22. • ansible-playbook –i [inventory-file]
[playbook-name] --ask-vault-pass
Running w/ encrypted data
22

23. • ansible-vault decrypt [filename]
• ansible-vault edit [filename]
• ansible-vault rekey [filename]
Other Commands
23

24. • Pretty much anything…
– Variable files (group_vars, host_vars)
– Inventory files
– Templates
– Tasks
– Playbooks
What can I encrypt?
24
The main limit is your imagination!!!

25. Having said that…
25

26. • Counter-intuitive:
– More developers need access to the key
• Lose commit history
• Best Practice: Only encrypt your sensitive
information
DON’T ENCRYPT EVERYTHING!
But how???

27. • Ansible feature:
variable files may be either a file OR
directory
Splitting up group_vars
27

28. Before
28

29. After
29

30. Watch out for variable
fragmentation!
30

31. Best Practice: References
31

32. So that’s cool, but…
32

33. • Password prompts are annoying
– Not good for automation
• Ansible-vault offers a “password file”
option
– Not much better, insecure
Making it better
33

34. • “Password file” can be executable
– Captures standard out as password
• Write a simple script:
Password Script
34

35. Now we’re ready to use CI!
35

36. • Jenkins: Popular CI tool
• Option to “Inject passwords” into a job
– Output is masked
– Securely store your vault password
Utilizing Jenkins
36

37. • Developers don’t have access to deploy
without vault password
• Jenkins manages the password
– Only have to change it in one place if we
rekey the file
Deployments more secure
37

38. Extra Thoughts on
Security
38

39. • Technically could still be compromised
– Anyone can clone, attempt to brute force
– Try using a GitHub private repo
• GitHub employees could still compromise
your files!
– Hosting in the cloud is still a concern
– Try using GitHub enterprise
Encrypted files in Github

40. 40

41. • http://docs.ansible.com/playbooks_vault.html
Links
41

42. Questions?
42