简体   繁体   English

ansible-vault:可能*不*解密文件

[英]ansible-vault: possible to *not* decrypt file

I would like to deploy encrypted (by ansible-vault) files using ansible without providing the vault password.我想在不提供保险库密码的情况下使用 ansible 部署加密的(通过 ansible-vault)文件。 The files should remain encrypted and only be decrypted on the server if needed (using a separate script).文件应保持加密状态,仅在需要时才在服务器上解密(使用单独的脚本)。

Is that possible somehow?这有可能吗?

Some more explanation: I am using the Ansible script to set up a CI server (bamboo, jenkins).更多解释:我正在使用 Ansible 脚本来设置 CI 服务器(bamboo、jenkins)。 Passwords should not live in plain text on that server, they should be decrypted on the fly when used to add another layer of security.密码不应以纯文本形式存在于该服务器上,当用于添加另一层安全性时,它们应该被即时解密。

I found it in the latest version (2.4).我在最新版本(2.4)中找到了它。 There is a decrypt flag for the copy module, see here .复制模块有一个解密标志,请参见此处 This is how I use it:这是我如何使用它:

<role>/tasks/main.yml <角色>/tasks/main.yml

- name: Copying (encrypted) Vault Content
  copy:
    src: "templates/vault/"
    dest: "{{vault_folder}}"
    directory_mode: yes
    decrypt: no

On the server, I am using this line in a script to get the decrypted content of the file:在服务器上,我在脚本中使用这一行来获取文件的解密内容:

ansible-vault decrypt <vault_folder>/<file> --output -

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM