diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2018-04-21 23:34:02 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2018-04-21 23:34:02 +0200 |
| commit | e4d82ed5c971dd29533cef5c5a3f2c7eff7e2ca4 (patch) | |
| tree | 060c3b4303dfe3f76a2757504df363b43f89a217 /README_vault.md | |
| parent | rename all .yaml to .yml (diff) | |
cleanup
Diffstat (limited to 'README_vault.md')
| -rw-r--r-- | README_vault.md | 35 |
1 files changed, 20 insertions, 15 deletions
diff --git a/README_vault.md b/README_vault.md index 680a50d8..c930a1da 100644 --- a/README_vault.md +++ b/README_vault.md @@ -1,10 +1,14 @@ -All secrets are stored inside encrypted ansible vault files which live -inside the secrets directory. Access to the vault files is controlled via -GPG keys. Anybody who uses this ansible repository needs to have a GPG key. +Secrets and Vaults +================== + +All secrets are stored inside encrypted ansible vault files which live in +`host_vars`, `group_vars` or inside the `secrets` directory. +Access to the vault files is controlled via GPG keys. Anybody who uses this +ansible repository needs to have a GPG key. Creating a GPG key -================== +------------------ You can use the following command to generate a new GPG key: @@ -13,11 +17,11 @@ You can use the following command to generate a new GPG key: - select "RSA and RSA" as kind (should be option: 1) - set keysize to: 4096 - set key expiration to: 2y - - set Real name and eMail adress + - set Real name and eMail address - set a passphrase for the key (please use a strong passphrase!!!) ``` -This command prints the fingerprint and other inforamtion about the newly +This command prints the fingerprint and other information about the newly generated key. In the line starting with pub you can find the key ID. This ID can be used to uniquely identify your key. Here is a sample output: @@ -40,8 +44,9 @@ command: ``` + Adding a key to the Vault -========================= +------------------------- Everybody who currently has access to the vault can add keys using the following command: @@ -51,12 +56,12 @@ following command: ``` This will add the new key to the keyring stored inside the repository and -reencrypt the secret to unlock the vault for all keys inside the keyring. +re-encrypt the secret to unlock the vault for all keys inside the keyring. Removing a key from the Vault -============================= +----------------------------- Everybody who currently has access to the vault can remove keys using the following command: @@ -66,7 +71,7 @@ following command: ``` This will remove the key from the keyring stored inside the repository and -reencrypt the secret to unlock the vault for all remaining keys inside the +re-encrypt the secret to unlock the vault for all remaining keys inside the keyring. You can find out the key ID using the command: @@ -90,24 +95,24 @@ starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x123456 Working with Vault files -======================== +------------------------ * create new vault: ``` -# ansible-vault create group_vars/mygroup/vault.yml + # ansible-vault create host_vars/foo/vault.yml ``` This will open up an editor which allows you to add variables. Once you store and close the file the content is automatically encrypted. * edit a vault file: ``` -# ansible-vault edit group_vars/mygroup/vault.yml + # ansible-vault edit group_vars/foo/vault.yml ``` This will open up an editor which allows you to add/remove/change variables. Once you store and close the file the content is automatically encrypted. * show the contents of a vault file: ``` -# ansible-vault view group_vars/mygroup/vault.yml + # ansible-vault view secrets/foo.vault.yml ``` - This will automatially decrypt the file and print it's contents. + This will automatically decrypt the file and print it's contents. |