"and other members in the community, as well as Ansible's leader Michael DeHaan, had agreed with that"
I am really not happy with the tone here. ansible-vault was designed from the result of lots of threads about this, as well as making it as simple and usable at it could possibly be. If it doesn't fit *your* specific needs, that's unfortunate, but I'm also exceptionally happy with the simplicity and interface of this design. It certaintly wasn't done to slight anyone, and I think everyone does need to understand how hard it is to balance the needs of a half million different Ansible users and make everyone 100% happy. Vault is a great addition, and if this doesn't work for someone, they can *still* write a lookup plugin to do something different. That's a primary reason that ansible is pluggable. On Thu, Feb 20, 2014 at 9:58 AM, Petros Moisiadis <[email protected]> wrote: > On 02/19/14 20:20, James Tanner wrote: > > We just merged a new feature called "Ansible Vault" to devel (1.5). > > Please read through Michael Dehaan's blog post about the tools for > > basic usage: > > > > http://blog.ansibleworks.com/2014/02/19/ansible-vault/ > > > > Follow the typical bug reporting process for any issues you may find. > > > > Other notes: > > > > 1) The default encryption cipher is AES, but the framework is > > "pluggable" to encourage community contribution for other cipher methods. > > > > 2) All files used for a single playbook must be encrypted with the > > same password. > > > > > > Please test away! > > > > -- > > You received this message because you are subscribed to the Google > > Groups "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected]. > > To post to this group, send email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > In previous discussions in this list around the problem that > ansible-vault is trying to solve, I had demonstrated the need of an > interface that does encryption at a variable value level (like having a > leaf-node-only YAML encryptor/decryptor to use Michael's term) and other > members in the community, as well as Ansible's leader Michael DeHaan, > had agreed with that. The use case for such an interface is quite > standard: You want to commit your Ansible stuff to your revision control > system and keep your sensitive data secret *without* destroying the > readability of your data structure (Ansible is all about data) and > *without* loosing the ability to review and audit changes (a must in > many security-sensitive environments). Looking at how ansible-vault has > actually been implemented, it seems that the whole discussion around > that requirement was not considered at all, and, instead, files are > encrypted as a whole. What was the reason for that decision? > > It is surely an important step forward to have an official approach to > encryption of Ansible's data, but it is IMHO disappointing the fact that > community feedback was not taken into account. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
