Skip to content

Instantly share code, notes, and snippets.

@lvonk
Last active October 15, 2015 19:05
Show Gist options
  • Save lvonk/3a094e0218bc91f0e2d4 to your computer and use it in GitHub Desktop.
Save lvonk/3a094e0218bc91f0e2d4 to your computer and use it in GitHub Desktop.
Alternative Ansible vault.
# Copyright 2014 Zilverline B.V.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Put this code in filter_plugins/custom_plugins.py
#
# Tested with keyczar 0.71c. To create a keystore with keyczar do:
#
# keyczart create --location=$HOME/.my-keyczar-keystore --purpose=crypt
# keyczart addkey --location=$HOME/.my-keyczar-keystore --status=primary
#
# Allows for property and file based encryption.
# Example:
# group_vars/development
# encrypted_property = AADFGASDGdsfkjasg
# unencrypted_property = www.zilverline.com
#
# Usage in e.g. task: password={{ encrypted_property | vault }}
#
# Example usage for file encryption
#
# - name: Install certificate key
# copy: content="{{ lookup('file', 'private.key.encrypted') | vault }}" dest=/etc/ssl/certs/private.key owner=root group=root mode=0600
def vault(encrypted):
method = """
from keyczar import keyczar
import os.path
import sys
keydir = os.path.expanduser('~/.my-keyczar-keystore')
crypter = keyczar.Crypter.Read(keydir)
sys.stdout.write(crypter.Decrypt("%s"))
""" % encrypted
from subprocess import check_output
return check_output(["python", "-c", method])
class FilterModule(object):
def filters(self):
return {
'vault': vault
}
# Put this code in scripts/encrypt.sh
#
# This allows to encrypt individual values to use e.g. in group_var files
# Usage:
# - To encrypt: scripts/encrypt.sh
# - To decrypt: scripts/encrypt.sh -d
#!/usr/bin/env python
import os.path
import getpass
from optparse import OptionParser
from keyczar import keyczar
parser = OptionParser()
parser.add_option("-d", "--decrypt", action="store_true", help="decrypt the input", dest="decrypt")
(options, args) = parser.parse_args()
keydir = os.path.expanduser('~/.my-keyczar-keystore')
crypter = keyczar.Crypter.Read(keydir)
if options.decrypt:
encrypted_input = raw_input("Type the encrypted string: ")
print 'The decrypted secret: %s' % crypter.Decrypt(encrypted_input)
else:
password = getpass.getpass('Type the secret you want to encrypt: ')
encrypted_secret = crypter.Encrypt(password)
print 'The encrypted secret: %s' % encrypted_secret
# Put this code in scripts/encrypt-file.sh
#
# This allows to encrypt entire files e.g. private key files.
# Usage:
# - To encrypt: scripts/encrypt-file.sh -f FILE_TO_ENCRYPT
# - To decrypt: scripts/encrypt-file.sh -d -f FILE_TO_DECRYPT
#!/usr/bin/env python
import os.path
from optparse import OptionParser
from keyczar import keyczar
parser = OptionParser()
parser.add_option("-f", "--file", help="the input file", dest="filename", metavar="FILE")
parser.add_option("-d", "--decrypt", action="store_true", help="decrypt the file", dest="decrypt")
(options, args) = parser.parse_args()
if options.filename:
with open(options.filename, 'r') as content_file:
content = content_file.read()
keydir = os.path.expanduser('~/.my-keyczar-keystore')
crypter = keyczar.Crypter.Read(keydir)
if options.decrypt:
print crypter.Decrypt(content)
else:
encrypted_secret = crypter.Encrypt(content)
print encrypted_secret
else:
parser.print_help()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment