Encrypting Files with Ansible Vault

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello again everyone and welcome back to my channel in today's video we are going to cover more ansible content one of my favorite technologies and specifically in this video i am going to show you guys ansible vault i will show you how to encrypt and decrypt files because that's what ansible vault does it allows you to protect your secrets and then i will show you an example of using ansible vault in an actual ansible configuration so you can see how to use ansible vault in production so let's go ahead and get started [Music] so here on my laptop i'm fresh off the video that i've recently recorded where i show you guys how to use ansible pull so what i'm going to do is walk you guys through the entire process of using ansible vault to keep private information well private now first of all you'll need to generate a very secure password because if you're going to be keeping secrets secret then you definitely need a randomly generated password so nothing can be brute forced and well the better the password the better the security so what i recommend you do is use a random password generator it really doesn't matter which one i'm going to use keepassxc which is my go to password manager it has a built-in random password generator that's this dice icon right here and you can just keep generating random passwords we can make it much more secure by including special characters as well and every time you click on the button you get a new password so if you don't already have a random password generator this is one of many ways that you can generate a password and you can actually make this as strong and secure as you want to the more characters the more secure so now i have a 32 character password which i think is going to be more than enough to secure ansible vault i'll just go ahead and copy that to the clipboard and then we should be good to go with that now what we'll need to do is go ahead and store the password somewhere on our file system where ansible is going to be able to access it now i'm actually in a git repository directory right now and this is the same repository that i was working with when i created the ansible pool tutorial and the reason why i'm bringing up this particular repository is because i want to let you guys know of a very important thing which is you should never have your vault password file stored with version control and then pushed up to a repository where everyone will be able to reach it i know for many of you that sounds like common knowledge but you'd be surprised how many private passwords end up on github so what i'm going to do is create it in my home directory in a hidden file so i'll just use nano you could use whatever text editor you'd like and the tilde if you didn't already know is short for the home directory and i'm just going to store it in a hidden file called vault key the period in front means that it's a hidden file in my home directory press enter and i've pasted the password right in there so essentially we're just storing the password local on our machine here and you definitely don't want to lose this because if you do you will never be able to unencrypt any of the encrypted files that you are using ansible vault with so just keep that in mind so ctrl o and then enter to save and then ctrl x to exit out now what i'm going to do is change the permissions of that file and as you can see here that is actually readable by pretty much everyone so what i'll do i'll use chmod i'll do 600 and now if we look at the permissions only the owning user has read and write access to that file and nobody else is able to read it and that's important especially if you are using a linux server or some kind of linux installation that multiple users are going to be using it probably goes without saying but if you have a password file you definitely want to control who is able to see that because if that leaks out that invalidates all of your encryption so now we should be good to go and we can go ahead and start using ansible vault [Music] so i'm going to give you guys a few examples here so what i'm going to do right now is just create a blank text file i just randomly chose the name info.txt but you get the idea so basically just type some random text in here because with ansible vault you can encrypt pretty much any file so this is just a starting example but anyway i'll go ahead and save this and now we can go ahead and use ansible vault now with ansible vault there's nothing to install because if you've already installed ansible then you already have ansible vault and to prove that there it is ansible hyphen vault is the binary and it's located in slash user slash bin as you see here so at this point the file is wide open there's no encryption at all let's go ahead and encrypt it so we will run ansible vault so after we type ansible vault we need to give it an option tell it what exactly we would like to do and what we want to do is encrypt the file and the file that we want to encrypt is the info.txt i'll press enter and then i'll paste the password that we've generated i'll press enter and then i'll paste it in again and then enter and it says encryption successful so now if we look at that file we can see that it is completely encrypted we can't read any of the text inside the file so to decrypt the file we can run ansible bolt decrypt and then dash dash volt password dash file we'll give it the path to the encryption key that we've saved that has the password inside then the name of the file that we want to decrypt which is this one right here it says decryption successful and we can see that we can now read the information now what i'm going to do is go ahead and encrypt that file again but this time i'm going to use the vault password file option instead of typing the password or pasting it into the terminal and the password file is well the one that we've saved then the file name of the file we want to encrypt and it tells us encryption successful and we can see now that it is encrypted we'll get back to the video shortly but first i want to mention my sponsor lenode founded in 2003 lenode is the largest independent cloud service provider built on open source and lynode is giving learn linux tv subscribers 100 in credit when you sign up today if it runs on linux it runs on lynode multiple distros are available including ubuntu centos alpine and of course arch and multiple server configurations make any app or service flexible and scalable use your lynnode server to host a website set up your own personal vpn create a next cloud instance host a game server and more linode also features 24x7 by 365 support that's available by phone or support ticket regardless of your plan size and the pricing is simple with monthly caps that ensure no hidden fees and generous monthly transfer that's built in which means no large bill surprises like you get from aws or azure so go ahead and check out lynnode they are actually my infrastructure provider i love their service so go ahead and sign up with a link in the description below to get your 100 in linux server credits and now let's get back to the video [Music] another option that we have is the edit option so rather than type everything all over again i'll just change encrypt edit because we could actually edit the file right from our command line here as well and all we're doing is we're using ansible vault edit we're giving it the vault password file like we did before and of course the file name i'll press enter and you can see that an editor opened up it actually opened vim that's my default editor and now i can actually go ahead and edit the file easy enough and of course the file is still encrypted but we were able to change the contents inside the file without decrypting it and then having to encrypt it again so basically you could use the ansible vault edit command to just well make edits to the encrypted file also if you want to view the contents of an encrypted file without decrypting it first you could actually use the view option and it looks something like this and as you can see it's pretty simple so all of the ansible vault commands they're pretty straightforward we had view we had edit encrypt decrypt things like that we give it the vault password file which we have stored in the file in the home directory here as you see and then we just give it the file name as you can see here [Music] so at this point we have seen examples of creating a basic text file encrypting it decrypting it and so on and that's all well and good if that's all you want to do is use ansible vault to store secrets then that's all there is to it but ansible itself is a configuration management utility that you can use to manage your servers i've done a whole series on ansible but how would you use this with ansible and combine it with your ansible workflow so let's see an example of that so inside this repository i'll just list storage again we have the task directory inside there we have a files directory and i'll list the storage again and we have this sudoers file so in the ansible poll tutorial i basically showed how to add a sudoers file to control sudo access and this file was basically one of them that i used for that it just has this one line which is just a suitor's line ansible all you know and so on now what we can do is encrypt this now honestly there's really nothing too private about this file but if we did want to keep secret our sudo set up then there might be some actual value in encrypting this file so what i'm going to do is just run ansible vault just like before we'll encrypt we'll give it the vault key and then the file name just like before and now we cannot see the file so what i'm going to do is just go ahead and commit the changes to get this isn't required but i just want to show you guys how this would work in a normal ansible workflow so if i run git status we have the info.txt file here listed as a change but i'm going to ignore that i really don't care about that in fact i'll go ahead and remove it and now the only change that we have is the sudoers file that i have just encrypted so we'll just go ahead and add that then i'll commit the change i'll press enter then i'll send the changes up to github and there we go so if i go up here to the repository that we've been working with i can refresh it then i can go in here to tasks then files and we can see that we have the encrypted file right here so why is this important so in github you can actually set up a private repository where nobody can actually see the contents of your repository unless they're able to authenticate but what if you do want actually your entire repository to be publicly available because maybe you do want people to be able to download your code and use it but you know perhaps you have one file in there that you really don't want people to see what this allows you to do is encrypt that one file and still have the entire repository public sure there's multiple ways of accomplishing this but this is a great way to do it because then you can have all the benefits of a public repository but still keep some secrets safe if you want to do that and as long as you haven't made the mistake of uploading your actual key to github itself or any version control system then well it should be perfectly fine and actually very secure now we have a new problem though if i go over here to the server and you don't have to follow along here because you may not have a server set up i'm just going to show it off this is the server that i was working with in a previous video that i'm just going to use as an example now if i was to go ahead and run an ansible poll job it's going to fail i'll show you why so here's the command to run the ansible pull job from the previous video i'll press enter let's see it fail and we can see right here that it did indeed fail because we didn't provide a password for this file because in the ansible code we're telling it to copy that file over to the server specifically go back a directory here we have these taskbooks right here so if i go ahead and open up the user's taskbook here we can see this little section where i am copying that sudoers file over to the server the source files sudoers underscore ansible that's the source in the local repository the file that we just encrypted and the destination on the server the one that's running the ansible job that file is going to end up at etsy sudoers.d ansible but it's unable to read the file so what ansible is going to do is it's going to check that file on the server to make sure that it matches but it really can't compare it because the one that we have here is now encrypted it can't even do a comparison i can't read the file either so of course that's going to fail now what we can do is we can actually copy that vault password file over to the server so over here i'll just check the ip address because i don't remember what it is and i will use tmux to go ahead and copy the ip address because i'm too lazy to type it i have a whole tutorial series on tmux if you would like to learn it so i'm not going to go over how i did this in this video you can check out that series if you'd like to learn tmux in case you're wondering with all this uh information down here that i have set up in these two tabs that's tmux so anyway i will copy this information and then what i will do is use scp and i'll just go ahead and grab that file and then i will copy it to the ip address for the server and i'll just use colon because i'm just going to put it in the home directory now over here on the server i have the vault key right there now obviously you don't want to make the mistake that i'm making right now and show the vault key on a video that's going to be watched by thousands of people but considering this is just a test it doesn't really matter and it probably goes without saying but keep that password secret no matter what you do don't let anyone see that password that invalidates the encryption and you can no longer trust it but anyway what i can do is now recall this command right here and then what i will do about right here is i will do dash dash vault same as before i just added the vault password file to the command and let's see if it works now and it did now i haven't actually made any changes to the repository it doesn't really do anything new i didn't add any new packages or customizations of any kind so of course we have changed a zero but we also have failed zero so ansible was able to compare the files and use them because we provided the vault password key file right here the vault password file and that allowed this to go ahead and work so the takeaway here is when you have a repository that has ansible code in it you can actually encrypt any of the files that you don't want other people to see and then use the vault password file to decrypt those files after you encrypt them so essentially you encrypt the protected file you go ahead and push that up to your version control then once you've done that you know basically just use the key on the server that is running the ansible job to decrypt it and that's a great way of storing secret information in a public repository [Music] so what i'm going to do is leave you with one more example what if you want to change the key and re-encrypt it with a different key for example maybe you did make a mistake and that key file did leak out and other people now know your password now you need to re-encrypt it so how do you do that so for that we will use again ansible vault we'll type re-key as the option because we want to change the password and inside the files directory in my case we have this file right here doesn't really matter this is just an example and we'll do vault password file and then just like before the vault key i haven't changed this it's still the same password as before because we need to provide the old password in order to create a new one i'll press enter and it's asking me for the new vault password and as you see here the rekey is successful so at this point what you would have to do is change the vault password file on all of your servers to the new one otherwise they will all fail but if you needed to change the password for your encryption well that's how you do it well there you have it that was my tutorial on ansible vault i hope that was helpful if you haven't already done so please click on that like and subscribe button because i have some awesome content coming very soon and if you subscribe you'll be the first to see it as soon as it's available in the meantime make sure you check out my website learnlinux.tv i have all of the playlists on that website that you can use to get quick access to things like tutorials reviews and more so thanks again for watching guys and i will see you in the next video you

Info

Channel: LearnLinuxTV

Views: 6,461

Rating: 4.9272728 out of 5

Keywords: Linux, Tutorial, Review, Howto, Guide, Distribution, Distro, Learn Linux, os, LearnLinuxTV, LearnLinux.tv, ansible, vault, encrypt, decrypt, cryptography, crypto, ansible-vault, ansible vault, task book, pull, ansible pull, ansible-pull, ansible tutorial, ansible tutorial for beginners, ansible playbook tutorial, ansible roles, tutorial, howto, linux tutorial, learn ansible, ansible-vault encrypt, ansible vault basic commands, ansible vault explained, ansible vault examples, ansible vault commands

Id: xeBnAbmt3Wk

Channel Id: undefined

Length: 20min 48sec (1248 seconds)

Published: Tue Sep 29 2020