Plain content of ansible-vault encrypted files are stored

Question

Plain content of ansible-vault encrypted files are stored

copyrights opened this issue 3 years ago · 5 comments

What is the issue ?

Plain content of ansible-vault encrypted files are stored in "Files" section.

example playbook

---
- name: Example ansible-vault
  hosts: localhost
  vars_files:
    - some_secrets.yml
  tasks:
    - debug:

example some_secrets.yml (pw: 123456)

$ANSIBLE_VAULT;1.1;AES256
66316434626265653066343439613138356131666164656438313135613333626165366533643437
6234313765393261333233663366323466333162393164620a393165613731353463373261616435
66636636376335613934666561653366363237396532323365633764393333613966383936353532
3862366239373032640a376435666530343030393166366238333532616637366566623262663034
39613535663961396139626463656335383331383034393630653632613864663063

What should be happening ?

Plain content of ansible-vault encrypted files shall not be stored.

Answer 1 · 2022-04-19T02:22:34.000Z

Hi @copyrights and thanks for the issue o/

The feature didn't always exist but it was in fact one of the first issues in the repo if you're curious.

You can tune the ara callback to not pick up files based on patterns (see ARA_IGNORED_FILES in the documentation) but I realize that it could be better documented so I'd like to keep the issue opened as a reminder to improve that.

Edit: to be clear, running export ARA_IGNORED_FILES=.ansible/tmp prevents the cleartext files from being recorded -- they are still accounted for but their contents is blanked out. It might make sense to include that path in the default ignored paths.

Answer 2 · 2022-04-19T02:34:10.000Z

I was thinking about this and something to ponder on is if the ansible-vault files always contain the same standardized header ($ANSIBLE_VAULT;1.1;AES256), it could be possible to automatically filter them since they declare a file type:

# this, but in python
> /usr/bin/file test.vault
test.vault: Ansible Vault, version 1.1, encryption AES256

In-line variables in standard plain-text yaml files would be trickier (ara doesn't currently do any parsing of the files) but they look like this:

username: ara
password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          33333265346262343433656562396663383138626161306466333165613336396330613263653737
          3465373463316665653031613163646233306163653330360a313361633034366531353963616138
          36623864316164343961333434326635383065326465323937336532643236663461663330656537
          3838323762646434380a623731356662326337623537313666363261366134363332646437616233
          3866

Answer 3 · 2022-04-19T17:05:05.000Z

valuted files are not the problem it is the 'unvaulted versions', and not just 'vars' files', many plugins support vaults/unvaults and like vars manager create in temp dir for internal usage (why it has such restrictive permissions and we ensure wiping when ansible ends).

Answer 4 · 2022-04-19T21:43:23.000Z

I've sent a PR to improve the docs, filter out ~/.ansible/tmp by default and add integration tests: #386

It'll be in the next release of ara but in the meantime you can add .ansible/tmp to ARA_IGNORED_FILES.

Answer 5 · 2022-05-29T17:08:13.000Z

PR #386 that excludes ~/.ansible/tmp by default, adds missing documentation and improves testing coverage was merged. Although there is no ETA yet, it'll land in the next version of ara.

Thanks again for the issue @copyrights.