From a0b2fe453a039c8ce412c471753e7389af6920d1 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 8 Dec 2018 20:36:24 +0100 Subject: vault readme is outdated --- README_vault.md | 118 -------------------------------------------------------- 1 file changed, 118 deletions(-) delete mode 100644 README_vault.md (limited to 'README_vault.md') diff --git a/README_vault.md b/README_vault.md deleted file mode 100644 index c930a1da..00000000 --- a/README_vault.md +++ /dev/null @@ -1,118 +0,0 @@ -Secrets and Vaults -================== - -All secrets are stored inside encrypted ansible vault files which live in -`host_vars`, `group_vars` or inside the `secrets` directory. -Access to the vault files is controlled via GPG keys. Anybody who uses this -ansible repository needs to have a GPG key. - - -Creating a GPG key ------------------- - -You can use the following command to generate a new GPG key: - -``` -# gpg2 --full-gen-key - - select "RSA and RSA" as kind (should be option: 1) - - set keysize to: 4096 - - set key expiration to: 2y - - set Real name and eMail address - - set a passphrase for the key (please use a strong passphrase!!!) -``` - -This command prints the fingerprint and other information about the newly -generated key. In the line starting with pub you can find the key ID. This -ID can be used to uniquely identify your key. Here is a sample output: - -``` -pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01] - Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678 -uid [ unknown] Firstname Lastname -sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01] -``` - -The key ID is the hexadecimal number next to ```rsa4096/``` in the line -starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678``` - -In order to add your key to the list of keys which can read the ansible vault -you first need to export the public part of your key using the following -command: - -``` -# gpg2 --armor --export "" > mykey.asc -``` - - - -Adding a key to the Vault -------------------------- - -Everybody who currently has access to the vault can add keys using the -following command: - -``` -# gpg/add-keys.sh mykey.asc -``` - -This will add the new key to the keyring stored inside the repository and -re-encrypt the secret to unlock the vault for all keys inside the keyring. - - - -Removing a key from the Vault ------------------------------ - -Everybody who currently has access to the vault can remove keys using the -following command: - -``` -# gpg/remove-keys.sh "" -``` - -This will remove the key from the keyring stored inside the repository and -re-encrypt the secret to unlock the vault for all remaining keys inside the -keyring. - -You can find out the key ID using the command: - -``` -# gpg/list-keys.sh -``` - -Here is an example output: - -``` -pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01] - Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678 -uid [ unknown] Firstname Lastname -sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01] -``` - -The key ID is the hexadecimal number next to ```rsa4096/``` in the line -starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678``` - - - -Working with Vault files ------------------------- - - * create new vault: - ``` - # ansible-vault create host_vars/foo/vault.yml - ``` - This will open up an editor which allows you to add variables. Once you - store and close the file the content is automatically encrypted. - - * edit a vault file: - ``` - # ansible-vault edit group_vars/foo/vault.yml - ``` - This will open up an editor which allows you to add/remove/change variables. - Once you store and close the file the content is automatically encrypted. - - * show the contents of a vault file: - ``` - # ansible-vault view secrets/foo.vault.yml - ``` - This will automatically decrypt the file and print it's contents. -- cgit v1.2.3