11

We are using Ansible Vault to store passwords, private keys for certificates etc. in our Ansible Playbook git repository. All of our existing private data is in text form, so we can store it in variables. These are then used in templates or with the content parameter of the copy module.

Now, we have a Java KeyStore file, which sadly has a binary format. As such, it cannot be stored inside a variable -- or at least I don't know how to do it. What would be the easiest way to have our file properly encrypted while it rests in git, but available when running ansible-playbook?

What I have already tried without success:

  • Encoding the binary file in base64, storing the encoded data in a variable and using the template module with {{base64_data | b64decode}}. Leads to lots of EF BF BD in hex dump of the resulting file. The three bytes encode the Unicode replacement character in UTF-8, so there is an issue with interpreting the binary data as text.
  • Encoding the binary file in base64, storing the encoded data in a variable and using the copy module with content="{{base64_data | b64decode}}". Ansible complains with "A variable inserted a new parameter into the module args." When using single quotes instead of double quotes, Ansible complains with "error parsing argument string", and a copy of all the binary data, dumped to the terminal...
Daniel Seither
  • 213
  • 2
  • 8
  • From a discussion in https://groups.google.com/d/topic/ansible-project/IinZK14FyX4 I conclude that ansible does not support this, and that you have to do some base64 stuff on your own, but that there may be some third party stuff that can make it easier. – Antonis Christofides Feb 11 '15 at 09:32
  • Thanks, this is looking good. Will try it and report back... – Daniel Seither Feb 11 '15 at 13:40
  • No, it sadly doesn't work (see edited question). There's some discussion around an ansible pull request that might be relevant: https://github.com/ansible/ansible-modules-extras/pull/142 – Daniel Seither Feb 12 '15 at 14:18
  • Have you thought about wrapping this with GPG calls? You could have the ASCII representation of a GPG private key stored in Ansible Vault, and use that to decrypt your binary file, which could then be stored in git without a problem. – Christopher Karel Feb 13 '15 at 19:33
  • Thanks for your suggestion, but this workaround is a bit more involved than I'd like it to be. I already thought about copying the base64-encoded KeyStore to the target machine and having a handler that decodes the file on update, but I'd prefer a solution that doesn't throw around temporary files. – Daniel Seither Feb 18 '15 at 18:11

2 Answers2

5

You can use a shell command with a base64 variable to do that.

- vars:
  - myvar: "<my_base64_var>"
- name: Create binary file
  shell: "echo '{{myvar}}' | base64 -d > /var/tmp/binary.dat"

Eric

elhostis
  • 166
  • 1
  • 2
  • This is definitely an option, especially since it doesn't use a temporary file. Sadly, it doesn't allow Ansible to detect whether a change was made, but it's better than all the other solutions that I've seen. – Daniel Seither Jul 05 '16 at 18:10
  • 2
    I think vault supports it now: "The vault feature can also encrypt arbitrary files, even binary files. If a vault-encrypted file is given as the src argument to the copy module, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play)." -http://docs.ansible.com/ansible/playbooks_vault.html – Mike Gleason jr Couturier Nov 13 '16 at 15:37
  • 3
    Note that they appear to have moved the text quoted by @MikeGleasonjrCouturier to a different page in the ansible documentation; see https://docs.ansible.com/ansible/latest/vault.html now. – Liam Dec 12 '17 at 07:19
2

The way we do that for our ansible setup is:

-We encrypt individual sensitive material (a small subset of our repository ) using https://www.agwa.name/projects/git-crypt/ -We all always commit using git sign tags -We periodically check if there are any unsigned files

The advantage of git-crypt is that as it relies on git filters, the encryption is transparent. Plus you can give access to the repository to developers without compromising encrypted content (it will ignore encrypted files if no decryption key can be obtained ).

MemCtrl
  • 118
  • 2
  • 10