Ansible Vault configuration

this section demonstrates how to validate the integration of ansible vault with the {{futurex}} pkcs#11 library a sample text file is encrypted using ansible vault, with the vault password stored in a separate file that password file is then encrypted using the {{ch}} during decryption, the password is recovered via the {{ch}} and passed to ansible vault to decrypt the original file the example highlights security of keys stored on a {{ch}} and automated secrets handling in ansible playbooks create a key pair on the {{ch}} perform the following two tasks to create a key pair set {{futurex}} environment variables perform the following steps by using the pkcs11 tool available from the opensc ( https //github com/opensc/opensc ) suite to generate keys on both deb based and rpm based distributions, the package is called opensc i n a terminal, run the following commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; be sure to modify the file path to match the location of libfxpkcs11 so and fxpkcs11 cfg on your system create a key pair i n a terminal, run the following command to create a new ecc key pair on the {{ch}} by using pkcs11 tool sudo pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "ansible rsa privatekey" id "123456" usage decrypt when prompted for the user pin, enter the password of the identity configured in the fxpkcs11 cfg file if successful, the command output lists the keys that pkcs11 tool created on the {{ch}} ansible vault playbooks in ansible, playbooks perform automated tasks you can reference the {{futurex}} pkcs#11 library when performing these tasks inside the playbook file to perform various functions, including encrypting and decrypting files prerequisites you must create a file for the vault password (such as vault password file txt ) and place it in the same directory with the other test files this is the password that ansible vault uses to encrypt and decrypt the sample test file due to the importance of a password file, this file will be encrypted with a public key that is stored on {{ch}} in this example, we use a vault password file txt because ansible vault typically requires the password to be supplied through a file or an executable script this approach is essential for non interactive automation and enables integration with hsm based encryption workflows the testing examples provided are for demonstration purposes only and are not intended for use in production environments be sure to apply proper security practices, such as secure password handling, encrypted communications, and hsm configurations, when deploying to production inventory file an inventory file in ansible defines the hosts that ansible will manage it can list ip addresses, hostnames, and groupings of machines, allowing you to organize and target them in playbooks the file can be written in ini or yaml format example (ini format) \[local] localhost ansible connection=local in the example above, local is targeted for local execution, common in test setups example directory layout test ansible/ \| encrypt yml \| decrypt yml \| inventory \| test txt \| vault password file txt encrypt example you must copy and paste the contents of this example into a file with the yml extension and modify it as needed (such as encrypt yml ) the following example file performs the following actions encrypts test txt using ansible vault with the provided password file note test txt can be a text file containing sample data uses {{ch}} 's public key , which was generated earlier, to encrypt vault password file txt , storing the result in vault password file txt enc deletes the original, unencrypted vault password file txt to protect sensitive data displays a success message if all tasks are completed successfully \ \ hosts localhost vars pkcs11 key label "ansible rsa privatekey" ## this is the key label that was generated in the earlier step test file "/home/futurex/test ansible/test txt" ## this is the test file with sample data password file "/home/futurex/test ansible/vault password file txt" ## this is the file that contains an ansible password of your choosing password encrypted password file "/home/futurex/test ansible/vault password file txt enc" ## this is the created file where the encryptted passsword will be placed tasks \ name encrypt test data with ansible vault command > ansible vault encrypt {{ test file }} vault password file {{ password file }} \ name encrypt vault password file with hsm public key command > openssl pkeyutl \\ provider pkcs11 \\ inkey 'pkcs11\ object={{ pkcs11 key label }};type=public' \\ pubin encrypt \\ in {{ password file }} \\ out {{ encrypted password file }} \ name remove plaintext vault password file file path "{{ password file }}" state absent \ name confirm encryption success stat path "{{ encrypted password file }}" register encrypted result \ name display success message debug msg "vault password file encrypted with hsm key " when encrypted result stat exists after you modify the playbook file according to your environment, use the following shell command to run the playbook ansible playbook u \<your username> i inventory encrypt yml after running the command, opening the test txt file will reveal that it is now encrypted by ansible vault, displaying content similar to $ansible vault;1 1;aes256 66393331626331366132616133666639656630353133613933336666663234316361373532353635 3138306138633134613765643466666639343463666437310a633238323135386565633238663634 64613837373931373762613562656137313137393266643336613061326132396231363132636162 3234343930663332370a323461626133333537646664373835383932356163343864346330656435 3663 decrypt example you must copy and paste the contents of this example into a file with the yml extension and modify it as needed (such as decrypt yml ) the following example performs the following actions uses the {{ch}} 's private key to decrypt vault password file txt enc , restoring the original password into a temporary file decrypts test txt using ansible vault with the restored password file deletes the temporary, decrypted password file after use to maintain security displays a success message if all tasks are completed successfully \ \ hosts localhost vars pkcs11 key label "ansible rsa privatekey" ## this is the key label that was generated in the earlier step test file "/home/futurex/test ansible/test txt" ## this is the test file with sample data password file "/home/futurex/test ansible/vault password file txt" ## this is the file that contains an ansible password of your choosing password encrypted password file "/home/futurex/test ansible/vault password file txt enc" ## this is the created file where the encryptted passsword will be placed tasks \ name decrypt vault password file with hsm private key command > openssl pkeyutl \\ provider pkcs11 \\ inkey 'pkcs11\ object={{ pkcs11 key label }};type=private' \\ decrypt \\ in {{ encrypted password file }} \\ out {{ password file }} \ name decrypt the test file using ansible vault command > ansible vault decrypt {{ test file }} vault password file {{ password file }} \ name remove decrypted vault password file file path "{{ password file }}" state absent \ name confirm decryption success stat path "{{ test file }}" register decrypted result \ name display decryption success message debug msg "file decrypted successfully using vault + hsm " when decrypted result stat exists after you modify the playbook file according to your environment, use the following shell command to run the playbook ansible playbook u \<your username> i inventory decrypt yml