Transcript
  • Servers and Tools

Encryption

From the class:  Ansible

One of the benefits of using software like Ansible to configure and provision machines is we can take all of these folders and files and store them in source control. And that allows us to repeat steps again and again in the future, without having to memorize everything. So it creates a repeatable provisioning system.

Now one of the problems with this tends to be that if in our variable file we have sensitive information, like a database password, you generally don't want to put those things on into Git or into GitHub for anyone else to see. We want to keep these things secret so that only one or a handful of people who have the right permissions are able to see it.

So Ansible gives us a way to do this by encrypting information and it provides a tool to do it called Ansible Vault. Ansible Vault is another command line tool that is provided that allows us to encrypt files and provide a password to decrypt the file and a couple of other tools to make those tasks a bit easier.

To accomplish this goal, what we can do is instead of putting the super duper password right here in the unencrypted file, we'll replace that with a variable. And the variable will start with a special prefix, vault. I'm just doing this by convention so that I know that this value is coming from our special encrypted YAML file and I'll call this the vault db password. Then over on the left, I'm going to create another file called all.vault.yaml. And inside of that, I'll create the key vault db password and we'll put the value in there, super duper password.

Now our goal is we need to encrypt this file, our all.vault.yaml. We can encrypt and decrypt files using the ansible-vault command and I'll start off by encrypting that file. And to do that, we'll use the encrypt subcommand and provide it the path to the file that we want to encrypt. It will ask me for a password. I'll just type simple one like password and then it will ask me to confirm that. Once we do that, the encryption will be successful and this file is now encrypted.

If I open it up in Vim, I need to edit it and pull up the most recent version of the file. If I pull it up in Vim, notice that this isn't completely encrypted, so I can't see the contents of this file. And now we can take this entire file, upload it up to GitHub and anyone can look at it and they won't be able to decipher the contents. Pretty cool. But how do we actually use these encrypted values in our play books? Let's look at the other side of this equation.

If I run the site playbook with the settings install tag filter, I get an error saying decryption failed and that's because it recognizes automatically that we're trying to use a file in this playbook that has been encrypted. And so to fix this, we need to provide another option called ask-vault-pass. And when we provide that option, it will now ask us for the password. And I can just type password in here. And now the play will succeed as usual.

And again, just to double check, let's vagrant ssh into one of the app servers and make sure that we get all the values as we expect and it's not still encrypted or something strange. And if we take a look at settings, JSON, it looks like we have got the database name, but we don't have the database password. And that's because we did not actually add the password to our settings file. So let's go do that really quickly.

And we'll open up the template and I'll say the database password is equal to the db password. Good. And we'll run that one more time. Type in my password. And I'll ssh into app1.local. And now, this time, we've got the password and it's been decrypted and we have the actual value right here, except it's been hidden from prying eyes on GitHub or other people that might be using the project.

Now it would be a little bit annoying to have to type that password every single time we run any playbook, so there's a much easier thing that we can do. We can create a file in our project directory. I'll make it a dot file called vault password. You can name this file whatever you want.

And then I'll use Shift-I so that I can see it in my Vim tree. And I'll open up the password and just type in plain text the password. Then we're going to tell Ansible about this password file in ansible.cfg. And in the default section, I create a key called vault password file and set it equal to vault_password or whatever you happen to name that file.

And one thing you want to make sure that you do here is that the file has the right permissions on it. So we want to make sure that this file is not checked in to GitHub. So don't check it in to Git or send it up to GitHub. And also make sure that you're the only one who can read and write it, that everybody else cannot. So let's go ahead and update that file with change mode. And we're going to say that I can read and write the file, but no one else can. And we'll just double check it and it looks like with the permissions are much better now.

Let's go ahead and try to rerun that play that we just ran, but this time we won't ask for the vault password and it should succeed automatically. Great. Everything worked as expected. Just again, make sure you don't check the vault file into-- or your password file in to Git.

Next up, what if you want to actually edit that encrypted file? Well, you can already see in Vim if we pull it up in environments, all.vault.yaml, it's just gobbledygook. So we need to do something else to decrypt the file before we edit it and there's a special command that Vaults provides to us called ansible-vault-edit. So we'll say ansible-vault-edit and we just need to provide the path to the file. That's going to pull the file up in the editor of our choice, whatever you have set in the editor environment variable. And in this case, for me, it's Vim. And it will decrypt the file and show it to me in Vim.

And then if I edit the file, I can make some kind of change here and it will automatically save the file and encrypt it again. So it makes it a little bit easier to work with the file this way. If you want to decrypt the file for good, you can use the decrypt subcommand and pass the path to the file and that will decrypt the file permanently. And again, if you want to see the other options that are available with Ansible Vault, you can just type ansible-vault and Enter and you'll get this helpful help page.

So Ansible provides a really nice way for us to configure our machines and do that in a way that's repeatable and idempotent, which means that the same things will not be repeated if they've already been done. And so I really, really love Ansible as a tool and I hope that this gives you a good introduction for how it's used.

If you want to learn more, you can head over to the documentation for it and then you can learn about all the different modules that are available. I only covered a handful of them in this class. But in other courses where we start deploying specific application frameworks, you're going to see a bunch of other modules as well.