One of the neat things you can do with GPG is encrypt your Ansible Vault passphrase file. This works very nicely with hardware security keys such as Yubikey.
To start off, you will probably want to generate a new Vault passphrase and re-key all your already-encrypted Vault files.
$ pwgen -n 71 -C | head -n1 | gpg --armor --recipient GPG_ID -e -o vault_passphrase.gpg
You can view that actual vault passphrase using:
$ gpg --batch --use-agent --decrypt vault_passphrase.gpg
Now that you have the new passphrase ready to go, re-key all your already-encrypted Vault files.
$ grep -rl '^$ANSIBLE_VAULT.*' . | xargs -t ansible-vault rekey
This command will ask you for the old and new vault passphrases and
then attempt to re-key all the files that begin with the string
$ANSIBLE_VAULT (usually indicative of an Ansible Vault encrypted file).
The next thing we need to do here is find a way to make decryption as painless
as possible, which is where Ansible’s
--vault-password-file flag comes
One of the things that the
--vault-password-file argument accepts is a
Finally, create an executable file called
#!/bin/sh gpg --batch --use-agent --decrypt vault_passphrase.gpg
Now that all the pieces are in place, invoke
ansible-vault manually and make
sure that the re-keying worked as expected:
$ ansible-vault --vault-password-file=vault_pass.sh view /path/to/an/encrypted/vault/file.yml
You could also make your life slightly easier by adding this to your
ansible.cfg, in which case you could omit the