Is it possible to hash the password in the vault_password_file for ansible?

Question

I am concerned about the password vault file storing the decryption password in plain text but have been unable to find any solutions.

Today i used the ansible-vault encrypt command to encrypt all my variables. I then created a password file to be used for the vault password and pointed the vault_password_file line in ansible.cfg towards it. I don't want the users on the ansible system to be prompted to enter the vault password every time they run a playbook, which is why we have opted for this method.

This is all working fine but i am concerned about the fact the password within the file is stored in Plain text. To me it defeats the exercise of encrypting the other information. I have tried to find solutions to this but i can not find any answers.

I am wondering if there are any methods to hash the password within the file that still allows ansible to use it for decryption?

Has anyone got any solutions which i could explore?

Answer 1

Assuming you are using source control, which you should be - then you could store the ansible_vault password in a file as you are now, but use either git-secret or blackbox (https://github.com/StackExchange/blackbox) to encrypt the vault password file.

git-secret is specifically for git and blackbox works with git as well as some other source control providers.

With blackbox you add a users public key to encrypt your file, and either one of your users can decrypt the file. Should they leave, you can just remove their public key and then can no longer access the file.

One step up from this would be a dedicated secrets management software tool as mentioned in the comments, but this is a simple enough intermediary step to implement.