We recently had a user question in regards to this thread, and wanted to
add a quick update as I see we never followed up on this here on the
group/mailing list.
These concerns were addressed as part of this commit:
commit 0d6f6ad282fd0d3fb581da9dcbafd33521eb67be
Author: James Tanner <>
Date: Mon Mar 10 16:15:44 2014 -0500
Implement new default cipher class AES256
Which addressed the primary concerns and recommendations listed above:
AES256 is now the default cipher (rather than plain AES).
PBKDF2 is now used for the hashing function, and errors are thrown if it's
not available.
The data is encrypted and then MAC'd, as recommended.
If anyone still has a Vault-encrypted file using the 1.0 format (doubtful,
since this was a year ago), they can use the rekey subcommand to rewrite
their files with the newer 1.1 format (which has been the default since the
above patch was merged). These files will have a first line which looks
like this:
$ANSIBLE_VAULT;1.0;AES
Thanks!
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/747777e1-c153-44c2-9da7-c9268fd0ee37%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
