Ansible Vault密码文件
[英]Ansible vault password file
问题描述
I'm was thinking, since we already have a secret file that we use to access the servers (the ssh private key), how much of a security risk would be to use this file as the key file for the vault? 
我在想,因为我们已经有一个用于访问服务器的秘密文件(ssh私钥),因此使用此文件作为Vault的密钥文件会带来多少安全风险?
The benefit would be that we only have to secure the ssh private key instead of having another key for the vault. 这样做的好处是,我们只需要保护ssh私钥,而不用为保管库拥有另一个密钥即可。
1 个解决方案
解决方案1
1 2016-06-02 07:33:19
I like your thought of reducing secrets, but I have some concerns of using the ansible private key. 我喜欢您关于减少机密的想法,但是我担心使用可使用的私钥。
Scenario 情境
Ideally, the private key you are mentioning is only existing on your management machine, from which you run your playbooks. 理想情况下,您提到的私钥仅存在于管理计算机上,您可以从该计算机上运行剧本。 The way I see it is that the more this key is distributed among other machines/systems, the more likely it is that it gets compromised. 我的看法是,此密钥在其他机器/系统中分配的越多,就越有可能遭到破坏。 The ansible private key usually gives access to root on any provisioned machine in your system, which makes it a very valuable secret. Ansible私钥通常使您可以访问系统中任何配置的计算机上的root用户,这使其成为非常有价值的秘密。 I never provision the ansible private key with ansible itself (which would be kind of chicken-egg anyways, at least on the first management machine). 我从不为Ansible私钥提供Ansible本身(无论如何,至少在第一台管理机上,这都是种鸡蛋)。
Problem 问题
One potential problem I see with that approach is when developing roles locally, eg, with vagrant. 我看到这种方法的一个潜在问题是在本地(例如,无业游民)发展角色时。 You would need to use the private key from your management system locally to decrypt the secrets and run your playbooks against your vagrant boxes. 您可能需要使用本地管理系统中的私钥来解密机密,并在无所事事的盒子上运行剧本。 Also, any other developer who works on the same ansible project would need that private key locally for development. 另外,从事同一个ansible项目的其他任何开发人员都需要在本地使用该私钥进行开发。
Potential workaround 潜在的解决方法
My premise is that the private key does not leave the management server. 我的前提是私钥不会离开管理服务器。 To achieve that you could develop your roles in a way that for local development you do not need any secret decryption, eg create a local development dev counterpart for each production group which uses only non-encrypted fake data. 为了实现这一目标,您可以以不需要本地解密的方式开发角色,例如,无需使用任何秘密解密,例如,为每个仅使用未加密伪造数据的生产组创建本地开发dev 。 That way you would only need to decrypt secrets on your management machine and won't need the private key locally, but of course this leads to a higher development effort of your ansible project. 这样,您只需要在管理计算机上解密机密信息,而不必在本地使用私钥,但这当然会导致您的ansible项目需要进行更多的开发工作。
I always try to use this approach anyways as much as possible, but from time to time you might find yourself in a scenario in which you still need to decrypt some valid api key for your vagrant boxes. 我总是尽量尝试使用这种方法,但是有时您会发现自己仍然需要为流浪者盒子解密一些有效的api密钥。 In some projects you might want to use your ansible playbooks not only for production servers, but also to locally provision vagrant boxes for the developers, which is usually when you need to decrypt a certain amount of valid secrets. 在某些项目中,您可能不仅希望将ansible剧本用于生产服务器,还希望在本地为开发人员配置无用的盒子,这通常是在您需要解密一定数量的有效机密时使用的。
Also worth mentioning, with this approach changes to the production secrets could only be made directly on the management server with the private key. 还值得一提的是,使用这种方法只能使用私钥直接在管理服务器上对生产机密进行更改。
Conclusion 结论
All in all I think that while it would be theoretically possible to use the private key as vault password, the benefit of reducing one secret is too small compared to the overhead that comes with the extra security concerns. 总而言之,我认为虽然在理论上可以将私钥用作保管库密码,但是与增加安全性所带来的开销相比,减少一个机密的好处太小了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.