Let’s say you work in a remote Ansible control node and need to share a vault password

How can you do it in a more secure way?

Also, always adding --vault-password-file=/... to the CLI invocations is cumbersome…

One way I found is to take advantage of the environment variable ANSIBLE_VAULT_PASSWORD_FILE, but how can one leverage it?

Holding the secret?

There’s not much need to explain why this would be bad, right?

export ANSIBLE_VAULT_PASSWORD_FILE="my very unsafe secret"
  • password exposed in shell history
  • viewable from the shoulder when setting

Ok, this is not the way.

Pointing to a file?

You can point to a file holding the secret, but…

  • password is in clear text at rest
  • file needs to be shared by multiple people, maybe even with a group of people not all of whom need access to the vault…

Pointing to an executable

Finally getting warmer… but what executable would it be?

You can point this variable to some executable file that spits out the vault secret:

export ANSIBLE_VAULT_PASSWORD_FILE="/some/path/to/a/program"

Now, you could make it be just echo my very unsafe secret but we would just be in a marginally more complex option than the previous one without any added advantage.

Is there no solution?

Well… I think I have found a safer way: enter GNU Privacy Guard!

You can setup a key-siging party with your colleagues, and then encrypt with your colleagues the vault secet in some file:

read -s -p "Enter vault secret: " VAULT ; echo ; echo $VAULT | \
gpg -a -r myKey -r herKey -r hisKey -r bossKey -e vault > ~/.vault-secret.asc

Now all you need to do is create a small script that invokes gpg and default your variable pointing to that script:

echo "gpg -d ~/.vault-secret.asc" > ~/bin/vault.sh ; chmod +x ~/bin/vault.sh
echo "export ANSIBLE_VAULT_PASSWORD_FILE=~/vault.sh" >> ~/.bashrc

You are now able to invoke ansible-vault however you like it, enter your key’s password, and not worry about the password again until the gpg-agent cache expires.

You can also safely share that secret file with your team, and enjoy the benefits of strong asssymetric encryption protecting strong symmetric encryption.