top of page
Search

Ansible Vault for Windows

Updated: 7 days ago

Welcome Back

Hey there! Glad to have you back for the second Ansible article. This time around, we're diving into Ansible Vault and how to keep those Microsoft Windows passwords safe by encrypting them whilst they are at rest.


If you missed out on the last article regarding the setup of Ansible and handling some basic tasks on a non-domain joined Windows Server, make sure to catch up on that first, by following this link.



What is Ansible Vault

Ansible Vault is a feature that allows users to encrypt sensitive information, such as passwords and secret keys, within Ansible playbooks and files. This encryption ensures that the secrets are secure while they are at rest.


To encrypt a secret, you simply use the "ansible-vault encrypt" command followed by the name of the file or "ansible-vault encrypt_string 'Secret'" followed by the name to be assigned to the secret. You'll then be prompted to enter and confirm a password or passphrase. Once encrypted, the secret is stored in a format that is unreadable without the decryption key, providing a secure way to protect sensitive information within Ansible projects.


Ansible Vault uses AES symmetric encryption by using the same password or passphrase for both encryption and decryption.


Basic Commands

Below are a few fundamental commands for utilizing Ansible Vault:


Create an encrypted file

ansible-vault create newFile.yml

 

Encrypt an existing file

ansible-vault encrypt existingFile.yml

 

View encrypted content of a file

anisble-vault view existingFile.yml

 

Edit the encrypted file

ansible-vault edit existingFile.yml

 

Decrypt an encrypted file

ansible-vault decrypt existingFile.yml

 

Change the password that encrypts\decrypts the secret (Rekeying)

ansible-vault rekey existingFile.yml


Create an encrypted string

ansible-vault encrypt_string 'ChangeMe1234' --name ansible_password


Help Yourselves....

A working set of files deploying ansible-vault with encrypted secrets can be found at the following link, do help yourselves.



Set Nano as the Default Editor

To avoid ansible-vault opening new files with vi, let's designate Nano as the default editor.


Type 'select-editor' and then choose option 1


Let's prove it works before Encrypting

I won't immediately introduce encrypted passwords into the mix. Instead, we'll set up and test the files using plain text passwords. Later, I'll encrypt them, this will aid in troubleshooting.


Ansible Jinja2 is a templating engine used to create dynamic content within Ansible playbooks. It allows for the use of variables, conditionals, loops, and filters to customize configurations based on the environment or data. The ansible_password="{{vault_ansible_password}}" is one such example and it's used in the hosts.ini file and resolves to the values in win.yml.


If you have been following, Visual Code for Linux is installed, if not nano will suffice. First, navigate to the Ansible directory previously creating under the Documents directory and execute the following command:


mkdir win-encrypt


Change Directory (cd win-encrypt) into the directory and create the following 3 files, hosts.ini, ping.yml and win.yml. This will provide a simple ping test to the Windows Server on 10.1.1.1 with the Administrator account and a password of 'ChangeMe1234'.


Ensure that 'ping.yml' adheres to the Yaml framework or a whole world of pain and 'why aren't you working' will ensue.


The "no_log: true" parameter in Ansible is used to prevent sensitive data, such as passwords or API keys, from being displayed in the console output or logged to files. Including this now will make life difficult, waiting until your fully working.


hosts.ini

[win]

10.1.1.1

[win:vars]

ansible_user=administrator

ansible_connection=winrm

ansible_password="{{vault_ansible_password}}"

ansible_winrm_scheme=https

ansible_port=5986

ansible_winrm_server_cert_validation=ignore

ansible_kerberos_delegation=false


ping.yml

--- - name: Ping win Test hosts: win gather_facts: false vars_files: - win.yml tasks: - name: Ping targets win_ping:

no_log: True


win.yml

vault_ansible_password: ChangeMe1234


Execute the following command to test the use of the clear text password:

ansible-playbook -i hosts.ini ping.yml


Let's get it Encrypted

Once we've confirmed the clear text password works, we can proceed to encrypt the win.yml file using the following command.

ansible-vault encrypt win.yml


Enter the password used for encrypting the file, I'm using the ultra-secure 'Password1234'. In production don't do this.....


Confirm the win.yml is encrypted with 'cat win.yml'. It should look something like the image below.


Type the following command to test accessing Windows using the encrypted vault file:

ansible-playbook -i host.ini ping.yml --ask-vault-pass


Enter the password 'Password1234' at the prompt.


Alternative Method to Encrypt the Password

Another way to encrypt the password is by utilizing the encrypt-string option.


Type the following command directing the output to winString.yml

ansible-vault encrypt-string 'ChangeMe1234' --name vault_ansible_password > winString.yml


I then renamed the existing win.yml and then renamed winString.yml to win.yml using the mv command.


This is a Bad Idea.......

Once we've secured the Windows passwords and grown weary of the password prompts or the playbooks are to be scheduled, we'll embed the ansible-vault password into a plaintext file, undoing our previous efforts. I've rooted enough Linux boxes to know this is a bad idea. However, today is all about encrypting the Windows passwords whilst at rest.


Vault Password File

Here we go, create a file named 'key' in the root of the Ansible directory and enter the vault password of 'Password1234':


nano ../key


Secure the key file to allow the owner Read and Write access.

chmod 600 ../key


Execute the playbook swapping out --ask-vault-pass for --vault-password-file ../key.

ansible-playbook -i host.ini ping.yml --vault-password-file ../key


Alternatively, if you prefer not to use --vault-password-file, create an ansible.cfg file within the win-encrypt directory using Nano, and input the following details.


Run the playbook again without the vault password or by specifying the file location.


Final Thoughts

That wraps up this guide on employing ansible vault to secure Windows passwords while they're at rest.


While Ansible Vault effectively secures Windows passwords, its effectiveness is compromised by storing the vault password in plain text. Despite its encryption capabilities, this vulnerability underscores the importance of implementing additional security measures to safeguard sensitive information effectively or another product in addition to ansible vault to manage secrets. Maybe that should be the aim of the next article, it's that or ansible managing domain computers with Kerberos. Drop a comment and let me know?


Thank you for taking the time to read this article, your feedback, comments, and shares are immensely valued and deeply appreciated.























71 views0 comments

Recent Posts

See All

Commentaires

Noté 0 étoile sur 5.
Pas encore de note

Ajouter une note
bottom of page