saltydk
commented
1 year ago I am not seeing a good way to do this as we will need the actual password (and not the hash) for roles.. While we could avoid having passwords in accounts.yml and prompt for them during role execution there are still apps that do not hash the passwords and store them in plain text in the opt folder. So unless we decide to ban apps that do this there seems to be little point to doing this.
The password prompt option would break unattended use of backup so I am not really loving that solution. If you have any suggestions then feel free to reopen this with a suggested solution but the one we had in Cloudbox with ansible-vault and just storing the vault password on the box anyway is not security but obscurity.
Currently both sudo user and plex passwords are stored in plaintext being able to hash these in some form would be a nice little bump up in security on this.