using ansible vault to protect your secrets
TRANSCRIPT
Using Ansible Vault to Protect Your SecretsDaniel Davis
• Daniel Davis• Software Developer for 8 years• Fun Fact:
– I just completed my first Half Ironman three weeks ago!
Who Am I?
3
4
anyways…
Really though, who are you?
• Came from Java world• Python developer for 2 years• DevOps
– Lots of work with automation and quality
• Doing more work with Open Source
In the last 10 years….
• Infrastructure as Code– Committed to GitHub
• Accessible to others– Use it on their own servers
• Auditable– Can see the history of changes
A Natural Fit!
8
The darker side…
9
DevOps!!!
10
DevOops!!!
11
• That moment of shame when you commit something you shouldn’t…– Like your private key or personal access
tokens…
DevOops
*Not actually a hacker, just a ninja with a computer
• Can’t commit some types of data– Passwords– API Keys– Private keys
• But we need it to provision servers!• How can we be both Open Source AND
have Infrastructure as Code?
The Security Paradox
1 minute intro to Ansible
15
Inventory File
ProdStagingDev
Playbook
Apache
App Code
Elastic Search
Postgres
App CodeTask 1
Task 2
Web Search
Database
Group Vars
Dev
Prod
PG_ROOT_USER
PG_ROOT_PASSWORD
PG_ROOT_PASSWORD
…
PG_ROOT_USER
…
Ansible-Vault
• Comes as part of Ansible• Install via:
– pip– homebrew– apt-get– yum
Installing Ansible Vault
How do we protect our data?
• Encrypt variable files w/ ansible-vault– AES-256 encryption
• Ansible will decrypt at run-time• Safely store encrypted values in GitHub!
• ansible-vault encrypt [filename]
How do I encrypt?
21
• ansible-playbook –i [inventory-file] [playbook-name] --ask-vault-pass
Running w/ encrypted data
22
• ansible-vault decrypt [filename]• ansible-vault edit [filename]• ansible-vault rekey [filename]
Other Commands
23
• Pretty much anything…– Variable files (group_vars, host_vars)– Inventory files– Templates– Tasks– Playbooks
What can I encrypt?
24
The main limit is your imagination!!!
Having said that…
25
• Counter-intuitive:– More developers need access to the key
• Lose commit history
• Best Practice: Only encrypt your sensitive information
DON’T ENCRYPT EVERYTHING!
But how???
• Ansible feature: variable files may be either a file OR directory
Splitting up group_vars
27
Before
28
After
29
Watch out for variable fragmentation!
30
Best Practice: References
31
So that’s cool, but…
32
• Password prompts are annoying– Not good for automation
• Ansible-vault offers a “password file” option– Not much better, insecure
Making it better
33
• “Password file” can be executable– Captures standard out as password
• Write a simple script:
Password Script
34
Now we’re ready to use CI!
35
• Jenkins: Popular CI tool• Option to “Inject passwords” into a job
– Output is masked– Securely store your vault password
Utilizing Jenkins
36
• Developers don’t have access to deploy without vault password
• Jenkins manages the password– Only have to change it in one place if we
rekey the file
Deployments more secure
37
Extra Thoughts on Security
38
• Technically could still be compromised– Anyone can clone, attempt to brute force– Try using a GitHub private repo
• GitHub employees could still compromise your files!– Hosting in the cloud is still a concern– Try using GitHub enterprise
Encrypted files in Github
40
• http://docs.ansible.com/playbooks_vault.html
Links
41
Questions?
42