This document discusses how Ansible Vault can be used to encrypt sensitive data like passwords and private keys to protect secrets when committing infrastructure as code to source control on GitHub. It recommends encrypting only sensitive information, not all files, and splitting encrypted variable files into directories. It also provides tips for using a password script and Jenkins to automate running plays with encrypted data without exposing passwords in plain text. The document aims to help balance the security of encrypting secrets with the usability of infrastructure as code workflows.

1. Using Ansible Vault to Protect
Your Secrets
Daniel Davis

2. • Daniel Davis
• Software Developer for 8 years
• Fun Fact:
– I just completed my first Half Ironman three
weeks ago!
Who Am I?

3. 3

4. 4

5. anyways…

6. Really though, who are you?
• Came from Java world
• Python developer for 2 years
• DevOps
– Lots of work with automation and quality
• Doing more work with Open Source

7. In the last 10 years….

8. • Infrastructure as Code
– Committed to GitHub
• Accessible to others
– Use it on their own servers
• Auditable
– Can see the history of changes
A Natural Fit!
8

9. The darker side…
9

10. DevOps!!!
10

11. DevOops!!!
11

12. • That moment of shame when you commit
something you shouldn’t…
– Like your private key or personal access
tokens…
DevOops

13. *Not actually a hacker, just a ninja with a computer

14. • Can’t commit some types of data
– Passwords
– API Keys
– Private keys
• But we need it to provision servers!
• How can we be both Open Source AND
have Infrastructure as Code?
The Security Paradox

15. 1 minute intro to Ansible
15

16. Inventory File
ProdStagingDev
Playbook
Apache
App Code
Elastic Search
Postgres
App Code
Task 1
Task 2
Web Search
Database

17. Group Vars
Dev
Prod
PG_ROOT_USER
PG_ROOT_PASSWORD
PG_ROOT_PASSWORD
…
PG_ROOT_USER
…

18. Ansible-Vault

19. • Comes as part of Ansible
• Install via:
– pip
– homebrew
– apt-get
– yum
Installing Ansible Vault

20. How do we protect our data?
• Encrypt variable files w/ ansible-vault
– AES-256 encryption
• Ansible will decrypt at run-time
• Safely store encrypted values in GitHub!

21. • ansible-vault encrypt [filename]
How do I encrypt?
21

22. • ansible-playbook –i [inventory-file]
[playbook-name] --ask-vault-pass
Running w/ encrypted data
22

23. • ansible-vault decrypt [filename]
• ansible-vault edit [filename]
• ansible-vault rekey [filename]
Other Commands
23

24. • Pretty much anything…
– Variable files (group_vars, host_vars)
– Inventory files
– Templates
– Tasks
– Playbooks
What can I encrypt?
24
The main limit is your imagination!!!

25. Having said that…
25

26. • Counter-intuitive:
– More developers need access to the key
• Lose commit history
• Best Practice: Only encrypt your sensitive
information
DON’T ENCRYPT EVERYTHING!
But how???

27. • Ansible feature:
variable files may be either a file OR
directory
Splitting up group_vars
27

28. Before
28

29. After
29

30. Watch out for variable
fragmentation!
30

31. Best Practice: References
31

32. So that’s cool, but…
32

33. • Password prompts are annoying
– Not good for automation
• Ansible-vault offers a “password file”
option
– Not much better, insecure
Making it better
33

34. • “Password file” can be executable
– Captures standard out as password
• Write a simple script:
Password Script
34

35. Now we’re ready to use CI!
35

36. • Jenkins: Popular CI tool
• Option to “Inject passwords” into a job
– Output is masked
– Securely store your vault password
Utilizing Jenkins
36

37. • Developers don’t have access to deploy
without vault password
• Jenkins manages the password
– Only have to change it in one place if we
rekey the file
Deployments more secure
37

38. Extra Thoughts on
Security
38

39. • Technically could still be compromised
– Anyone can clone, attempt to brute force
– Try using a GitHub private repo
• GitHub employees could still compromise
your files!
– Hosting in the cloud is still a concern
– Try using GitHub enterprise
Encrypted files in Github

40. 40

41. • http://docs.ansible.com/playbooks_vault.html
Links
41

42. Questions?
42