Frank Bezema gave a presentation on securing Ansible deployments and handling secrets. He discussed using Ansible vault for encrypting secrets, SecretHub for storing secrets in the cloud, Kubernetes secrets, and HashiCorp Vault. He emphasized the importance of preventing secrets from being placed on target hosts, using encryption at rest and in transit, and rotating secrets. HashiCorp Vault was identified as the most mature option that supports the most use cases, while Ansible vault provides simple encryption dependent on Ansible and SecretHub allows easy starting but requires full trust in the cloud.
5. Ansible Secrecy Meetup @ YES!Delft/SecrethubFrank Bezema 19 sept 2018
Secure deployments
• Only as secure as security of hosts (OS,
apps) and controllers
• Prevent to place secrets on target hosts
• Beware of configuration drift
5
7. Ansible Secrecy Meetup @ YES!Delft/SecrethubFrank Bezema 19 sept 2018
Secure desired state
• Prevent configuration drift
• Architectural requirement: encryption of
(PII) information at rest and in flight
7
9. Ansible Secrecy Meetup @ YES!Delft/SecrethubFrank Bezema 19 sept 2018
Handling secrets
• How NOT to do it:
1. Hard coding password
2. In your source tree / git
3. Plain text in config files?
4. Environment variables?
• Best way: request from a vault
9
10. Ansible Secrecy Meetup @ YES!Delft/SecrethubFrank Bezema 19 sept 2018
Ansible-vault
• standard with ansible
• encrypted group_var file
• local to controller host
• -> short demo
10
11. Ansible Secrecy Meetup @ YES!Delft/SecrethubFrank Bezema 19 sept 2018
Secret Hub
• simple to get started, cloud
• closed source server, client to be open sourced
• interact via cli secrethub
• mature?
11
12. Ansible Secrecy Meetup @ YES!Delft/SecrethubFrank Bezema 19 sept 2018
Kubernetes secrets
• With kubernetes install
• centralised
• Needs some measures to make secure
• mature?
12
13. Ansible Secrecy Meetup @ YES!Delft/SecrethubFrank Bezema 19 sept 2018
Hashicorp Vault
• OSS & paid enterprise version
• cloud or on-prem
• centralised or per app
• mature, most use cases
13
14. Ansible Secrecy Meetup @ YES!Delft/SecrethubFrank Bezema 19 sept 2018
Comparison
• number of dimensions
1. OSS vs. closed source
2. on or off host
3. cloud or on-premise
• maturity
• use cases
14
15. Ansible Secrecy Meetup @ YES!Delft/SecrethubFrank Bezema 19 sept 2018
Generic conclusion
• Ansible-vault: dependant on ansible, simple
• Secrethub: full trust in cloud, easy to start
• Kubernetes secrets: specific use case
• Hashicorp vault: most mature, most use
cases
15