stackoom
  简体   繁体   中英

Ansible vault password file

 原文  2016-06-01 18:07:21       security/ ansible

Question

I'm was thinking, since we already have a secret file that we use to access the servers (the ssh private key), how much of a security risk would be to use this file as the key file for the vault?

The benefit would be that we only have to secure the ssh private key instead of having another key for the vault.

1 answers

solution1
 1  2016-06-02 07:33:19

I like your thought of reducing secrets, but I have some concerns of using the ansible private key.

Scenario

Ideally, the private key you are mentioning is only existing on your management machine, from which you run your playbooks. The way I see it is that the more this key is distributed among other machines/systems, the more likely it is that it gets compromised. The ansible private key usually gives access to root on any provisioned machine in your system, which makes it a very valuable secret. I never provision the ansible private key with ansible itself (which would be kind of chicken-egg anyways, at least on the first management machine).

Problem

One potential problem I see with that approach is when developing roles locally, eg, with vagrant. You would need to use the private key from your management system locally to decrypt the secrets and run your playbooks against your vagrant boxes. Also, any other developer who works on the same ansible project would need that private key locally for development.

Potential workaround

My premise is that the private key does not leave the management server. To achieve that you could develop your roles in a way that for local development you do not need any secret decryption, eg create a local development dev counterpart for each production group which uses only non-encrypted fake data. That way you would only need to decrypt secrets on your management machine and won't need the private key locally, but of course this leads to a higher development effort of your ansible project.

I always try to use this approach anyways as much as possible, but from time to time you might find yourself in a scenario in which you still need to decrypt some valid api key for your vagrant boxes. In some projects you might want to use your ansible playbooks not only for production servers, but also to locally provision vagrant boxes for the developers, which is usually when you need to decrypt a certain amount of valid secrets.

Also worth mentioning, with this approach changes to the production secrets could only be made directly on the management server with the private key.

Conclusion

All in all I think that while it would be theoretically possible to use the private key as vault password, the benefit of reducing one secret is too small compared to the overhead that comes with the extra security concerns.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Symfony - Azure Vault for DB password How to store ansible_become_pass in a vault and how to use it? use ansible-vault to encrypt multiple files at once Spring Data read MongoDB password from a vault or other protected source Find password in file How is a password to decrypt a file verified? How to crack a dBase file password? hide mysql password in php file PHP File Storing Password as a Text File Password file instead plain text password in kafka ssl setup
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM