6. Really though, who are you?
• Came from Java world
• Python developer for 2 years
• DevOps
– Lots of work with automation and quality
• Doing more work with Open Source
8. • Infrastructure as Code
– Committed to GitHub
• Accessible to others
– Use it on their own servers
• Auditable
– Can see the history of changes
A Natural Fit!
8
14. • Can’t commit some types of data
– Passwords
– API Keys
– Private keys
• But we need it to provision servers!
• How can we be both Open Source AND
have Infrastructure as Code?
The Security Paradox
19. • Comes as part of Ansible
• Install via:
– pip
– homebrew
– apt-get
– yum
Installing Ansible Vault
20. How do we protect our data?
• Encrypt variable files w/ ansible-vault
– AES-256 encryption
• Ansible will decrypt at run-time
• Safely store encrypted values in GitHub!
24. • Pretty much anything…
– Variable files (group_vars, host_vars)
– Inventory files
– Templates
– Tasks
– Playbooks
What can I encrypt?
24
The main limit is your imagination!!!
26. • Counter-intuitive:
– More developers need access to the key
• Lose commit history
• Best Practice: Only encrypt your sensitive
information
DON’T ENCRYPT EVERYTHING!
But how???
33. • Password prompts are annoying
– Not good for automation
• Ansible-vault offers a “password file”
option
– Not much better, insecure
Making it better
33
34. • “Password file” can be executable
– Captures standard out as password
• Write a simple script:
Password Script
34
36. • Jenkins: Popular CI tool
• Option to “Inject passwords” into a job
– Output is masked
– Securely store your vault password
Utilizing Jenkins
36
37. • Developers don’t have access to deploy
without vault password
• Jenkins manages the password
– Only have to change it in one place if we
rekey the file
Deployments more secure
37
39. • Technically could still be compromised
– Anyone can clone, attempt to brute force
– Try using a GitHub private repo
• GitHub employees could still compromise
your files!
– Hosting in the cloud is still a concern
– Try using GitHub enterprise
Encrypted files in Github