As a configuration management system or an orchestration engine, Ansible has great power. To wield that power, it is necessary to entrust secret data to Ansible. An automation system that prompts the operator for passwords at each connection is not very efficient. To maximize the power of Ansible, secret data has to be written to a file that Ansible can read and from which it can utilize the data.
This creates a risk, though! Your secrets are sitting there on your filesystem in plain text. This is a physical and digital risk. Physically, the computer could be taken from you and pored over for secret data. Digitally, any malicious software that can break the boundaries set upon it is capable of reading any data to which your user account has access. If you utilize a source control system, the infrastructure that houses the repository is just as much at risk.
Thankfully, Ansible provides a facility to protect your data at rest. That facility is Vault. This facility allows for encrypting text files so that they are stored at rest in an encrypted format. Without the key or a significant amount of computing power, the data is indecipherable.
The key lessons to learn when dealing with encrypting data at rest include the following:
- Valid encryption targets
- Securing differing data with multiple passwords and Vault IDs
- Creating new encrypted files
- Encrypting existing unencrypted files
- Editing encrypted files
- Changing the encryption password on files
- Decrypting encrypted files
- Encrypting data inline in an otherwise unencrypted YAML file (for example, a playbook)
- Running ansible-playbook referencing encrypted files