Welcome Back
Hey there! Glad to have you back for the second Ansible article. This time around, we're diving into Ansible Vault and how to keep those Microsoft Windows passwords safe by encrypting them whilst they are at rest.
If you missed out on the last article regarding the setup of Ansible and handling some basic tasks on a non-domain joined Windows Server, make sure to catch up on that first, by following this link.
What is Ansible Vault
Ansible Vault is a feature that allows users to encrypt sensitive information, such as passwords and secret keys, within Ansible playbooks and files. This encryption ensures that the secrets are secure while they are at rest.
To encrypt a secret, you simply use the "ansible-vault encrypt" command followed by the name of the file or "ansible-vault encrypt_string 'Secret'" followed by the name to be assigned to the secret. You'll then be prompted to enter and confirm a password or passphrase. Once encrypted, the secret is stored in a format that is unreadable without the decryption key, providing a secure way to protect sensitive information within Ansible projects.
Ansible Vault uses AES symmetric encryption by using the same password or passphrase for both encryption and decryption.
Basic Commands
Below are a few fundamental commands for utilizing Ansible Vault:
Create an encrypted file
ansible-vault create newFile.yml
Encrypt an existing file
ansible-vault encrypt existingFile.yml
View encrypted content of a file
anisble-vault view existingFile.yml
Edit the encrypted file
ansible-vault edit existingFile.yml
Decrypt an encrypted file
ansible-vault decrypt existingFile.yml
Change the password that encrypts\decrypts the secret (Rekeying)
ansible-vault rekey existingFile.yml
Create an encrypted string
ansible-vault encrypt_string 'ChangeMe1234' --name ansible_password
Help Yourselves....
A working set of files deploying ansible-vault with encrypted secrets can be found at the following link, do help yourselves.
Set Nano as the Default Editor
To avoid ansible-vault opening new files with vi, let's designate Nano as the default editor.
Type 'select-editor' and then choose option 1
Let's prove it works before Encrypting
I won't immediately introduce encrypted passwords into the mix. Instead, we'll set up and test the files using plain text passwords. Later, I'll encrypt them, this will aid in troubleshooting.
Ansible Jinja2 is a templating engine used to create dynamic content within Ansible playbooks. It allows for the use of variables, conditionals, loops, and filters to customize configurations based on the environment or data. The ansible_password="{{vault_ansible_password}}" is one such example and it's used in the hosts.ini file and resolves to the values in win.yml.
If you have been following, Visual Code for Linux is installed, if not nano will suffice. First, navigate to the Ansible directory previously creating under the Documents directory and execute the following command:
mkdir win-encrypt
Change Directory (cd win-encrypt) into the directory and create the following 3 files, hosts.ini, ping.yml and win.yml. This will provide a simple ping test to the Windows Server on 10.1.1.1 with the Administrator account and a password of 'ChangeMe1234'.
Ensure that 'ping.yml' adheres to the Yaml framework or a whole world of pain and 'why aren't you working' will ensue.
The "no_log: true" parameter in Ansible is used to prevent sensitive data, such as passwords or API keys, from being displayed in the console output or logged to files. Including this now will make life difficult, waiting until your fully working.
hosts.ini
[win]
10.1.1.1
[win:vars]
ansible_user=administrator
ansible_connection=winrm
ansible_password="{{vault_ansible_password}}"
ansible_winrm_scheme=https
ansible_port=5986
ansible_winrm_server_cert_validation=ignore
ansible_kerberos_delegation=false
ping.yml
--- - name: Ping win Test hosts: win gather_facts: false vars_files: - win.yml tasks: - name: Ping targets win_ping:
no_log: True
win.yml
vault_ansible_password: ChangeMe1234
Execute the following command to test the use of the clear text password:
ansible-playbook -i hosts.ini ping.yml
Let's get it Encrypted
Once we've confirmed the clear text password works, we can proceed to encrypt the win.yml file using the following command.
ansible-vault encrypt win.yml
Enter the password used for encrypting the file, I'm using the ultra-secure 'Password1234'. In production don't do this.....
Confirm the win.yml is encrypted with 'cat win.yml'. It should look something like the image below.
Type the following command to test accessing Windows using the encrypted vault file:
ansible-playbook -i host.ini ping.yml --ask-vault-pass
Enter the password 'Password1234' at the prompt.
Alternative Method to Encrypt the Password
Another way to encrypt the password is by utilizing the encrypt-string option.
Type the following command directing the output to winString.yml
ansible-vault encrypt-string 'ChangeMe1234' --name vault_ansible_password > winString.yml
I then renamed the existing win.yml and then renamed winString.yml to win.yml using the mv command.
This is a Bad Idea.......
Once we've secured the Windows passwords and grown weary of the password prompts or the playbooks are to be scheduled, we'll embed the ansible-vault password into a plaintext file, undoing our previous efforts. I've rooted enough Linux boxes to know this is a bad idea. However, today is all about encrypting the Windows passwords whilst at rest.
Vault Password File
Here we go, create a file named 'key' in the root of the Ansible directory and enter the vault password of 'Password1234':
nano ../key
Secure the key file to allow the owner Read and Write access.
chmod 600 ../key
Execute the playbook swapping out --ask-vault-pass for --vault-password-file ../key.
ansible-playbook -i host.ini ping.yml --vault-password-file ../key
Alternatively, if you prefer not to use --vault-password-file, create an ansible.cfg file within the win-encrypt directory using Nano, and input the following details.
Run the playbook again without the vault password or by specifying the file location.
Final Thoughts
That wraps up this guide on employing ansible vault to secure Windows passwords while they're at rest.
While Ansible Vault effectively secures Windows passwords, its effectiveness is compromised by storing the vault password in plain text. Despite its encryption capabilities, this vulnerability underscores the importance of implementing additional security measures to safeguard sensitive information effectively or another product in addition to ansible vault to manage secrets. Maybe that should be the aim of the next article, it's that or ansible managing domain computers with Kerberos. Drop a comment and let me know?
Thank you for taking the time to read this article, your feedback, comments, and shares are immensely valued and deeply appreciated.