threewordphrase
commented
5 years ago Also relevant for other sensitive types of files frequently encountered in devops, like SSL Certs.
Open loicalbertin opened 6 years ago
threewordphrase
commented
5 years ago Also relevant for other sensitive types of files frequently encountered in devops, like SSL Certs.
loicalbertin
commented
5 years ago Also relevant for other sensitive types of files frequently encountered in devops, like SSL Certs.
Hi @crypticsymbols you're right.
But data like SSL certs and so on could already be handled using the get_secret TOSCA operation implemented in #90. By using this function your data will be retrieved on HashiCorp's Vault and then encrypted using Ansible's Vault on disk.
The thing is that SSH private keys used to connect to compute machines are special as Ansible currently do not support to use vault-encrypted key content. To workaround this, we implemented a feature that uses the ssh-agent to keep keys in memory rather than writing them on disk (see #201).
As: An ops I want: to ensure that connection credentials are not left non-encrypted on disk So that: I can relax and sleep this night
AC1: Limited to the ansible integration AC2: reuse integration done within #90 AC3: the idea is to use ansible/ansible#22382 when implemented
Note another solution is to use ssh agent to store those keys (but it wont work with paramiko)