Ansible Vault configuration

this section details the steps to configure the ansible instance to integrate with the {{futurex}} pkcs #11 library create a key pair on the {{ch}} perform the following tasks to create a key pair set {{futurex}} pkcs #11 environment variables create a key pair on the {{ch}} by using pkcs11 tool set environment variables perform the following steps to set {{futurex}} pkcs #11 environment variables in a terminal, run the following commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; be sure to modify the file path to match the location of libfxpkcs11 so and fxpkcs11 cfg on your system create a key pair perform the following steps to create a key pair on the {{ch}} by using pkcs11 tool in a terminal, run the following command to create a new ecc key pair on the {{ch}} by using pkcs11 tool sudo pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "ansible rsa privatekey" id "123456" when prompted for the user pin, enter the password of the identity configured in the fxpkcs11 cfg file if successful, the command output lists the keys that pkcs11 tool created on the {{ch}} ansible vault playbooks in ansible, playbooks perform automated tasks refer to the {{futurex}} pkcs #11 library when performing these tasks within the playbook file to perform various functions, including encrypting and decrypting files prerequisites you must create a file for the vault password (such as vault password file txt ) and place it in the appropriate folder the ansible vault uses this password to encrypt the hsm key and the file to be encrypted with the hsm key you must adjust t he security of this file based on your organizational best practices this file is placed in the /tmp/ directory on the linux machine for the encryption and decryption examples in this section encrypt example you must copy and paste the contents of this example into a file with the yml extension (such as encrypt yml ) and modify it as needed this example performs the following actions r etrieves the key from the {{ch}} s tores the key in a temporary file encrypts the temporary file with ansible vault uses t he encrypted temporary key file to encrypt the target file cleans t he encrypted temporary key file from the system \ \ hosts local vars pkcs11 module "/usr/local/bin/fxpkcs11/libfxpkcs11 so" # insert path to pkcs11 lib pkcs11 pin "safest" # password utilized in fxpkcs11 cfg pkcs11 key label "ansible rsa privatekey" # update this based on the actual label used when generating key pair temp key file "/tmp/hsm key txt" # location of temporary file generated to be placed file to encrypt "/home/futurex/desktop/test txt" # location of file to encrypt encrypted file "/home/futurex/desktop/test txt enc" # location of encrypted file to be placed after encrypt yml is run tasks \ name test connectivity command echo "hello, pkcs#11" \ name list objects in the hsm command > pkcs11 tool module {{ pkcs11 module }} list objects register list objects \ name show the list of objects debug var list objects stdout \ name retrieve encryption key from hsm using pkcs#11 command > pkcs11 tool module {{ pkcs11 module }} read object label "{{ pkcs11 key label }}" type privkey register hsm key \ name check if the hsm key was retrieved successfully fail msg "failed to retrieve hsm key" when hsm key rc != 0 \ name store hsm key in a temporary file copy content "{{ hsm key stdout }}" dest "{{ temp key file }}" \ name encrypt the hsm key using ansible vault command > ansible vault encrypt {{ temp key file }} vault password file /tmp/vault password file register vault encryption \ name encrypt the file using the hsm key command > openssl enc aes 256 cbc salt in {{ file to encrypt }} out {{ encrypted file }} pass file {{ temp key file }} when hsm key stdout is not none and vault encryption rc == 0 \ name display success message debug msg "file encrypted successfully!" when hsm key stdout is not none and vault encryption rc == 0 \ name clean up temporary files file path "{{ temp key file }}" state absent when hsm key stdout is not none after you modify the playbook file according to your environment, use the following shell command to run the playbook sudo ansible playbook u \<your username> i inventory encrypt yml k decrypt example you must copy and paste the contents of this example into a file with the yml extension (such as decrypt yml ) and modify it as needed this example performs the following actions r etrieves the key from the {{ch}} s tores the key in a temporary file encrypts the temporary file with ansible vault uses t he encrypted temporary key file to decrypt the target file cleans t he encrypted temporary key file from the system \ \ hosts local vars pkcs11 module "/usr/local/bin/fxpkcs11/libfxpkcs11 so" # insert path to pkcs11 lib pkcs11 pin "safest" # password utilized in fxpkcs11 cfg pkcs11 key label "ansible rsa privatekey" # update this based on the actual label used when generating key pair temp key file "/tmp/hsm key txt" # location of temporary file generated to be placed encrypted file "/home/futurex/desktop/test txt enc" # location of encrypted file to be placed after encrypt yml is run decrypted file "/home/futurex/desktop/decrypted test txt" #location of decrypted file to be placed after decrypt yml is run tasks \ name test connectivity command echo "hello, pkcs#11" \ name list objects in the hsm command > pkcs11 tool module {{ pkcs11 module }} list objects register list objects \ name show the list of objects debug var list objects stdout \ name retrieve encryption key from hsm using pkcs#11 command > pkcs11 tool module {{ pkcs11 module }} read object label "{{ pkcs11 key label }}" type privkey register hsm key \ name check if the hsm key was retrieved successfully fail msg "failed to retrieve hsm key" when hsm key rc != 0 \ name store hsm key in a temporary file copy content "{{ hsm key stdout }}" dest "{{ temp key file }}" \ name encrypt the hsm key using ansible vault command > ansible vault encrypt {{ temp key file }} vault password file /tmp/vault password file register vault encryption \ name decrypt the file using the hsm key command > openssl enc d aes 256 cbc in {{ encrypted file }} out {{ decrypted file }} pass file {{ temp key file }} when hsm key stdout is not none \ name display decryption success message debug msg "file decrypted successfully!" when hsm key stdout is not none \ name clean up temporary files file path "{{ temp key file }}" state absent when hsm key stdout is not none after you modify the playbook file according to your environment, use the following shell command to run the playbook sudo ansible playbook u \<your username> i inventory decrypt yml k