Using ansible vault to protect your secrets
•Download as PPTX, PDF•
10 likes•6,031 views
This document discusses how Ansible Vault can be used to encrypt sensitive data like passwords and private keys to protect secrets when committing infrastructure as code to source control on GitHub. It recommends encrypting only sensitive information, not all files, and splitting encrypted variable files into directories. It also provides tips for using a password script and Jenkins to automate running plays with encrypted data without exposing passwords in plain text. The document aims to help balance the security of encrypting secrets with the usability of infrastructure as code workflows.
Report
Share
Using ansible vault to protect your secrets
- 1. Using Ansible Vault to Protect Your Secrets Daniel Davis
- 2. • Daniel Davis • Software Developer for 8 years • Fun Fact: – I just completed my first Half Ironman three weeks ago! Who Am I?
- 3. 3
- 4. 4
- 5. anyways…
- 6. Really though, who are you? • Came from Java world • Python developer for 2 years • DevOps – Lots of work with automation and quality • Doing more work with Open Source
- 7. In the last 10 years….
- 8. • Infrastructure as Code – Committed to GitHub • Accessible to others – Use it on their own servers • Auditable – Can see the history of changes A Natural Fit! 8
- 10. DevOps!!! 10
- 11. DevOops!!! 11
- 12. • That moment of shame when you commit something you shouldn’t… – Like your private key or personal access tokens… DevOops
- 13. *Not actually a hacker, just a ninja with a computer
- 14. • Can’t commit some types of data – Passwords – API Keys – Private keys • But we need it to provision servers! • How can we be both Open Source AND have Infrastructure as Code? The Security Paradox
- 15. 1 minute intro to Ansible 15
- 16. Inventory File ProdStagingDev Playbook Apache App Code Elastic Search Postgres App Code Task 1 Task 2 Web Search Database
- 18. Ansible-Vault
- 19. • Comes as part of Ansible • Install via: – pip – homebrew – apt-get – yum Installing Ansible Vault
- 20. How do we protect our data? • Encrypt variable files w/ ansible-vault – AES-256 encryption • Ansible will decrypt at run-time • Safely store encrypted values in GitHub!
- 21. • ansible-vault encrypt [filename] How do I encrypt? 21
- 22. • ansible-playbook –i [inventory-file] [playbook-name] --ask-vault-pass Running w/ encrypted data 22
- 23. • ansible-vault decrypt [filename] • ansible-vault edit [filename] • ansible-vault rekey [filename] Other Commands 23
- 24. • Pretty much anything… – Variable files (group_vars, host_vars) – Inventory files – Templates – Tasks – Playbooks What can I encrypt? 24 The main limit is your imagination!!!
- 26. • Counter-intuitive: – More developers need access to the key • Lose commit history • Best Practice: Only encrypt your sensitive information DON’T ENCRYPT EVERYTHING! But how???
- 27. • Ansible feature: variable files may be either a file OR directory Splitting up group_vars 27
- 28. Before 28
- 29. After 29
- 30. Watch out for variable fragmentation! 30
- 32. So that’s cool, but… 32
- 33. • Password prompts are annoying – Not good for automation • Ansible-vault offers a “password file” option – Not much better, insecure Making it better 33
- 34. • “Password file” can be executable – Captures standard out as password • Write a simple script: Password Script 34
- 35. Now we’re ready to use CI! 35
- 36. • Jenkins: Popular CI tool • Option to “Inject passwords” into a job – Output is masked – Securely store your vault password Utilizing Jenkins 36
- 37. • Developers don’t have access to deploy without vault password • Jenkins manages the password – Only have to change it in one place if we rekey the file Deployments more secure 37
- 39. • Technically could still be compromised – Anyone can clone, attempt to brute force – Try using a GitHub private repo • GitHub employees could still compromise your files! – Hosting in the cloud is still a concern – Try using GitHub enterprise Encrypted files in Github
- 40. 40
- 42. Questions? 42