[Confiks]

I've been using ansible-vault to solve this problem in our infrastructure repository. A symmetric vault key is encrypted using gpg, and Ansible's vault_password_file is set to to an executable shell script containing `gpg --batch --use-agent --descrypt vault_key.gpg`.

Very specific to Ansible, but works fine. It's a shame only files containing variables (we're using group_vars) can be encrypted, and not arbitrary files or templates.

[perlgeek]

To be a bit pedantic, all .yml files can be encrypted with ansible-vault, so also playbooks and roles.

There are two things currently that bother me about ansible-vault. The first is that the 'edit' command write a completely new file even if I didn't change anything. And the second is that the diffs in git become useless. I'd love to have a special diff driver for ansible-vault encrypted files that decrypts before diffing when the secret is available.

[Deinumite]

If you use show instead of edit it doesn't re-encrypt the file.

Agreed on the useless diffs however, it makes reviewing pull requests or changes much harder.

[RRRA]

I'm curious, why do you feel the need to encrypt every single file instead of just secrets (to keep reviewing possible)? :)

[Deinumite]

I usually only encrypt var files that contain things like db passwords or something. In our case it made it harder to spot typos in the username for example.

I wouldn't encrypt a whole playbook for example.

[davedx]

We don't encrypt all of the credentials, just the actual passwords.

[RRRA]

Uhm, for me edit brings up vi, I then :q and the file's modification date didn't change?

[rgj]

More things about Ansible vault that are a shame:

- no file encryption, only YML

- no separate values, only entire file

- OMG it's s...l...o...w...

- password based instead of certs

- only one password

- password cannot even stored in an env var

More: http://jpmens.net/2014/02/22/my-thoughts-on-ansible-s-vault/

[RRRA]

A good trick I found was to have a file with your values assigned as vault_something and then in the clear version have the variable assigned as: something: "{{ vault_something }}"

But yeah, the "only one password" is the biggest pain for me...

[jcassee]

Actually, you can make the vault password file an executable shell script containing

echo "$ANSIBLE_VAULT_PASSWORD"

[jlgaddis]

re: your last bullet point, I put my password as the only thing in a text file, then point the environment variable to that. Same effect, although it is one (small) extra step.