top | item 41481884

(no title)

dusanh | 1 year ago

We use Fernet[1] or Ansible vault[2] with the encrypted secrets committed to the code repositories, but I guess we can do that because the code is not public.

The rest we share over a secure, company approved, channel, and save them into local KeePass-es (KeePassXC)

[1] https://docs.ansible.com/ansible/latest/vault_guide/index.ht...

[2] https://cryptography.io/en/latest/fernet/

discuss

indigodaddy|1 year ago

Is the ansible vault password in the repo too?

Also, anytime I put an ansible vault secret into Bitbucket, I get a yelly email back from BB about “detected secreted in repo!”

So general question, is this within security standards or is it very bad and should be using off-the-repo secret infra like Hashicorp vault etc? Downside there is have to manually update the secrets on Hashi vault side (eg they are not in code/repo) and you still have to have some visibility to the hashi key in any case in your CI/CD/code/ansible in any case right?

zelphirkalt|1 year ago

Commiting the passwords for decrypting Ansible vaults would render the encryption useless and you should consider all secrets already in the vault when committing and pushing the vault password compromised. Makes for a couple of fun days, if it happens.

dusanh|1 year ago

> Is the ansible vault password in the repo too?

No no, this is one of those secrets we share among the team and save to KeePass or whatever.