How to encrypt binary files in Ansible?
We are using Ansible Vault to store passwords, private keys for certificates etc. in our Ansible Playbook git repository. All of our existing private data is in text form, so we can store it in variables. These are then used in templates or with the content
parameter of the copy module.
Now, we have a Java KeyStore file, which sadly has a binary format. As such, it cannot be stored inside a variable -- or at least I don't know how to do it. What would be the easiest way to have our file properly encrypted while it rests in git, but available when running ansible-playbook
?
What I have already tried without success:
- Encoding the binary file in base64, storing the encoded data in a variable and using the template module with
{{base64_data | b64decode}}
. Leads to lots ofEF BF BD
in hex dump of the resulting file. The three bytes encode the Unicode replacement character in UTF-8, so there is an issue with interpreting the binary data as text. - Encoding the binary file in base64, storing the encoded data in a variable and using the copy module with
content="{{base64_data | b64decode}}"
. Ansible complains with "A variable inserted a new parameter into the module args." When using single quotes instead of double quotes, Ansible complains with "error parsing argument string", and a copy of all the binary data, dumped to the terminal...
You can use a shell command with a base64 variable to do that.
- vars:
- myvar: "<my_base64_var>"
- name: Create binary file
shell: "echo '{{myvar}}' | base64 -d > /var/tmp/binary.dat"
Eric
The way we do that for our ansible setup is:
-We encrypt individual sensitive material (a small subset of our repository ) using https://www.agwa.name/projects/git-crypt/ -We all always commit using git sign tags -We periodically check if there are any unsigned files
The advantage of git-crypt is that as it relies on git filters, the encryption is transparent. Plus you can give access to the repository to developers without compromising encrypted content (it will ignore encrypted files if no decryption key can be obtained ).