On 02/19/14 20:20, James Tanner wrote: > We just merged a new feature called "Ansible Vault" to devel (1.5). > Please read through Michael Dehaan's blog post about the tools for > basic usage: > > http://blog.ansibleworks.com/2014/02/19/ansible-vault/ > > Follow the typical bug reporting process for any issues you may find. > > Other notes: > > 1) The default encryption cipher is AES, but the framework is > "pluggable" to encourage community contribution for other cipher methods. > > 2) All files used for a single playbook must be encrypted with the > same password. > > > Please test away! > > -- > You received this message because you are subscribed to the Google > Groups "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out.
In previous discussions in this list around the problem that ansible-vault is trying to solve, I had demonstrated the need of an interface that does encryption at a variable value level (like having a leaf-node-only YAML encryptor/decryptor to use Michael's term) and other members in the community, as well as Ansible's leader Michael DeHaan, had agreed with that. The use case for such an interface is quite standard: You want to commit your Ansible stuff to your revision control system and keep your sensitive data secret *without* destroying the readability of your data structure (Ansible is all about data) and *without* loosing the ability to review and audit changes (a must in many security-sensitive environments). Looking at how ansible-vault has actually been implemented, it seems that the whole discussion around that requirement was not considered at all, and, instead, files are encrypted as a whole. What was the reason for that decision? It is surely an important step forward to have an official approach to encryption of Ansible's data, but it is IMHO disappointing the fact that community feedback was not taken into account. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
