Let’s say you work in a remote Ansible control node and need to share a vault password

How can you do it in a more secure way?

Also, always adding --vault-password-file=/... to the CLI invocations is cumbersome…

One way I found is to take advantage of the environment variable ANSIBLE_VAULT_PASSWORD_FILE, but how can one leverage it?

Holding the secret?#

There’s not much need to explain why this would be bad, right?

export ANSIBLE_VAULT_PASSWORD_FILE="my very unsafe secret"
  • password exposed in shell history
  • viewable from the shoulder when setting

Ok, this is not the way.

Pointing to a file?#

You can point to a file holding the secret, but…

  • password is in clear text at rest
  • file needs to be shared by multiple people, maybe even with a group of people not all of whom need access to the vault…

Pointing to an executable#

Finally getting warmer… but what executable would it be?

You can point this variable to some executable file that spits out the vault secret:

export ANSIBLE_VAULT_PASSWORD_FILE="/some/path/to/a/program"

Now, you could make it be just echo my very unsafe secret but we would just be in a marginally more complex option than the previous one without any added advantage.

Is there no solution?

Well… I think I have found a safer way: enter GNU Privacy Guard!

You can setup a key-siging party with your colleagues, and then encrypt with your colleagues the vault secet in some file:

read -s -p "Enter vault secret: " VAULT ; echo ; echo $VAULT | \
gpg -a -r myKey -r herKey -r hisKey -r bossKey -e vault > ~/.vault-secret.asc

Now all you need to do is create a small script that invokes gpg and default your variable pointing to that script:

echo "gpg -d ~/.vault-secret.asc" > ~/bin/vault.sh ; chmod +x ~/bin/vault.sh
echo "export ANSIBLE_VAULT_PASSWORD_FILE=~/vault.sh" >> ~/.bashrc

You are now able to invoke ansible-vault however you like it, enter your key’s password, and not worry about the password again until the gpg-agent cache expires.

You can also safely share that secret file with your team, and enjoy the benefits of strong asssymetric encryption protecting strong symmetric encryption.