How to encrypt binary files in Ansible?

ansible

We are using Ansible Vault to store passwords, private keys for certificates etc. in our Ansible Playbook git repository. All of our existing private data is in text form, so we can store it in variables. These are then used in templates or with the content parameter of the copy module.

Now, we have a Java KeyStore file, which sadly has a binary format. As such, it cannot be stored inside a variable -- or at least I don't know how to do it. What would be the easiest way to have our file properly encrypted while it rests in git, but available when running ansible-playbook?

What I have already tried without success:

  • Encoding the binary file in base64, storing the encoded data in a variable and using the template module with {{base64_data | b64decode}}. Leads to lots of EF BF BD in hex dump of the resulting file. The three bytes encode the Unicode replacement character in UTF-8, so there is an issue with interpreting the binary data as text.
  • Encoding the binary file in base64, storing the encoded data in a variable and using the copy module with content="{{base64_data | b64decode}}". Ansible complains with "A variable inserted a new parameter into the module args." When using single quotes instead of double quotes, Ansible complains with "error parsing argument string", and a copy of all the binary data, dumped to the terminal...

You can use a shell command with a base64 variable to do that.

- vars:
  - myvar: "<my_base64_var>"
- name: Create binary file
  shell: "echo '{{myvar}}' | base64 -d > /var/tmp/binary.dat"

Eric


The way we do that for our ansible setup is:

-We encrypt individual sensitive material (a small subset of our repository ) using https://www.agwa.name/projects/git-crypt/ -We all always commit using git sign tags -We periodically check if there are any unsigned files

The advantage of git-crypt is that as it relies on git filters, the encryption is transparent. Plus you can give access to the repository to developers without compromising encrypted content (it will ignore encrypted files if no decryption key can be obtained ).

Related

Docker - scaling nginx and php-fpm seperately
Can I change the update descriptions in WSUS?
How can I tell if the server supports hot-swapping drives?
find -delete works OK, but not with cron
Using Windows 10 to manage Hyper-V on Windows Server 2008 R2
journalctl - stop following without exiting pager
Reverse proxy application and its static files with Nginx
Using Yubikey for sudo over SSH session
Easy way to remove a tag from a private Docker registry?
How to document a strategy for upgrading commercial software?
Refused to frame '' because it violates the following Content Security Policy directive: "frame-src *"
How to let TortoiseHg (Mercurial) on Windows use the Private Key file generated (by Puttygen)?