How to encrypt binary files in Ansible

ansible

We are using Ansible Vault to store passwords, private keys for certificates etc. in our Ansible Playbook git repository. All of our existing private data is in text form, so we can store it in variables. These are then used in templates or with the content parameter of the copy module.

Now, we have a Java KeyStore file, which sadly has a binary format. As such, it cannot be stored inside a variable — or at least I don't know how to do it. What would be the easiest way to have our file properly encrypted while it rests in git, but available when running ansible-playbook?

What I have already tried without success:

Encoding the binary file in base64, storing the encoded data in a variable and using the template module with {{base64_data | b64decode}}. Leads to lots of EF BF BD in hex dump of the resulting file. The three bytes encode the Unicode replacement character in UTF-8, so there is an issue with interpreting the binary data as text.
Encoding the binary file in base64, storing the encoded data in a variable and using the copy module with content="{{base64_data | b64decode}}". Ansible complains with "A variable inserted a new parameter into the module args." When using single quotes instead of double quotes, Ansible complains with "error parsing argument string", and a copy of all the binary data, dumped to the terminal…

Best Answer

You can use a shell command with a base64 variable to do that.

- vars:
  - myvar: "<my_base64_var>"
- name: Create binary file
  shell: "echo '{{myvar}}' | base64 -d > /var/tmp/binary.dat"

Eric

Related Solutions

How to check the JSON response from a uri request with Ansible

You need to use a jinja2 filter (http://docs.ansible.com/ansible/playbooks_filters.html). In this case, the name of the filter is from_json. In the following example I'll take an action when the key is found and other action when the could not be found:

 ---                                                                                                            

 - hosts: somehost                                                                                               
   sudo: yes                                                                                                    

   tasks:                                                                                                       

   - name: Get JSON from the Interwebs                                                                          
     uri: url="https://raw.githubusercontent.com/ljharb/node-json-file/master/package.json" return_content=yes  
     register: json_response                                                                                    

   - debug: msg="Error - undefined tag"                                                                         
     when: json_response["non_existent_tag"] is not defined                                                     

   - debug: msg="Success - tag defined =>{{  (json_response.content|from_json)['scripts']['test'] }}<="  
     when:  (json_response.content|from_json)['scripts']['test']  is defined

Now replace the debug for the appropriate to take the desired action.

Hope it helps,

Ansible git pull without storing the password on the server

Is there a way to set the password from ansible for the time of the playbook run, but not to store it on the server?

The ansible git module doesn't currently have a way to specify the password be ephemeral, i.e. to ensure it is erased from the .git directory after the upstream repository has been cloned.

You could "hack" this by invoking the command module after the invocation of the git module to remove the upstream remote from the repository configuration, which will obviously remove any secrets. This does mean the secret is temporarily stored on the host during the pull operation -- this may not be suitable depending upon the threat model you are working under.

A better way?

These scenarios are where SSH key authentication comes to the fore, per EEAA's comment. If you can authenticate to your git upstream using SSH, you can use SSH agent forwarding in your Ansible session to pass your SSH agent from the control host through to the target server.

This is a robust method of credential sharing which only survives for the duration of the session, so the long-term risks of secrets being left on the remote host are minimised.

Related Topic