/log
-/*.retry
+/gpg/vault-keyring.gpg~
+*.pyc
+*.retry
+.*.sw?
+++ /dev/null
-Creating key:
- pwgen -s 128 -1 | gpg2 -e -a -o vault-pass.gpg
-
-Reencrypt for new set of keys:
- ./open-vault.sh | gpg2 -e -a -o vault-pass.gpg
-
-Create a new vault file:
- ansible-vault create secrets/foo.yaml
-
-Edit a vault file:
- ansible-vault edit secrets/foo.yaml
--- /dev/null
+Secrets and Vaults
+==================
+
+All secrets are stored inside encrypted ansible vault files which live
+inside the secrets directory. Access to the vault files is controlled via
+GPG keys. Anybody who uses this ansible repository needs to have a GPG key.
+
+
+Creating a GPG key
+------------------
+
+You can use the following command to generate a new GPG key:
+
+```
+# gpg2 --full-gen-key
+ - select "RSA and RSA" as kind (should be option: 1)
+ - set keysize to: 4096
+ - set key expiration to: 2y
+ - set Real name and eMail adress
+ - set a passphrase for the key (please use a strong passphrase!!!)
+```
+
+This command prints the fingerprint and other inforamtion about the newly
+generated key. In the line starting with pub you can find the key ID. This
+ID can be used to uniquely identify your key. Here is a sample output:
+
+```
+pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]
+ Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678
+uid [ unknown] Firstname Lastname <lastname@example.com>
+sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]
+```
+
+The key ID is the hexadecimal number next to ```rsa4096/``` in the line
+starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678```
+
+In order to add your key to the list of keys which can read the ansible vault
+you first need to export the public part of your key using the following
+command:
+
+```
+# gpg2 --armor --export "<your key id>" > mykey.asc
+```
+
+
+
+Adding a key to the Vault
+-------------------------
+
+Everybody who currently has access to the vault can add keys using the
+following command:
+
+```
+# gpg/add-keys.sh mykey.asc
+```
+
+This will add the new key to the keyring stored inside the repository and
+reencrypt the secret to unlock the vault for all keys inside the keyring.
+
+
+
+Removing a key from the Vault
+-----------------------------
+
+Everybody who currently has access to the vault can remove keys using the
+following command:
+
+```
+# gpg/remove-keys.sh "<key-id>"
+```
+
+This will remove the key from the keyring stored inside the repository and
+reencrypt the secret to unlock the vault for all remaining keys inside the
+keyring.
+
+You can find out the key ID using the command:
+
+```
+# gpg/list-keys.sh
+```
+
+Here is an example output:
+
+```
+pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]
+ Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678
+uid [ unknown] Firstname Lastname <lastname@example.com>
+sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]
+```
+
+The key ID is the hexadecimal number next to ```rsa4096/``` in the line
+starting with ```pub``` (not ```sub```). In this case the key ID is: ```0x1234567812345678```
+
+
+
+Working with Vault files
+------------------------
+
+ * create new vault:
+ ```
+# ansible-vault create secrets/foo.vault.yml
+ ```
+ This will open up an editor which allows you to add variables. Once you
+ store and close the file the content is automatically encrypted.
+
+ * edit a vault file:
+ ```
+# ansible-vault edit secrets/foo.vault.yml
+ ```
+ This will open up an editor which allows you to add/remove/change variables.
+ Once you store and close the file the content is automatically encrypted.
+
+ * show the contents of a vault file:
+ ```
+# ansible-vault view secrets/foo.vault.yml
+ ```
+ This will automatially decrypt the file and print it's contents.
remote_user = root
log_path = ./log
nocows=1
-vault_password_file = ./open-vault.sh
+vault_password_file = ./gpg/get-vault-pass.sh
gathering = smart
var_compression_level = 9
--- /dev/null
+#!/bin/bash
+
+if [ -z "$1" ]; then
+ echo "no keyfile specified, reading from stdin ..."
+fi
+
+"${BASH_SOURCE%/*}/gpg2.sh" --import $@
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: import key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+ exit 1
+fi
+
+echo ""
+"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh"
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: reencrypting vault password file failed!"
+ echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+ exit 1
+fi
+echo "Successfully reencrypted vault password file!"
+echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
--- /dev/null
+#!/bin/bash
+gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null
--- /dev/null
+#!/bin/bash
+exec gpg2 --keyring "${BASH_SOURCE%/*}/vault-keyring.gpg" --secret-keyring /dev/null --no-default-keyring $@
--- /dev/null
+#!/bin/bash
+exec "${BASH_SOURCE%/*}/gpg2.sh" --list-keys $@
--- /dev/null
+#!/bin/bash
+
+if [ -z "$1" ]; then
+ echo "Please specify at least one key ID!"
+ echo ""
+ echo "You can find out the key ID using the command: gpg/list-keys.sh"
+ echo ""
+ echo " Here is an example output:"
+ echo ""
+ echo " pub rsa4096/0x1234567812345678 2017-01-01 [SC] [expires: 2019-01-01]"
+ echo " Key fingerprint = 1234 5678 1234 5678 1234 5678 1234 5678 1234 5678"
+ echo " uid [ unknown] Firstname Lastname <lastname@example.com>"
+ echo " sub rsa4096/0x8765432187654321 2017-01-01 [E] [expires: 2019-01-01]"
+ echo ""
+ echo " The key ID is the hexadecimal number next to rsa4096/ in the line"
+ echo " starting with pub (not sub). In this case the key ID is: 0x1234567812345678"
+ echo ""
+ exit 1
+fi
+
+"${BASH_SOURCE%/*}/gpg2.sh" --delete-keys $@
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: removing key(s) failed. Please revert any changes of the file gpg/vault-keyring.gpg."
+ exit 1
+fi
+
+echo ""
+"${BASH_SOURCE%/*}/get-vault-pass.sh" | "${BASH_SOURCE%/*}/set-vault-pass.sh"
+if [ $? -ne 0 ]; then
+ echo -e "\nERROR: reencrypting vault password file failed!"
+ echo " You might want to revert any changes on gpg/vault-pass.gpg and gpg/vault-keyring.gpg!!"
+ exit 1
+fi
+echo "Successfully reencrypted vault password file!"
+echo " Don't forget to commit the changes in gpg/vault-pass.gpg and gpg/vault-keyring.gpg."
--- /dev/null
+#!/bin/bash
+
+keyids=$("${BASH_SOURCE%/*}/gpg2.sh" --list-keys --with-colons --fast-list-mode 2>/dev/null | awk -F: '/^pub/{printf "%s\n", $5}')
+if [ -z "$keyids" ]; then
+ echo "ERROR: no keys to encrypt to, is the keyring empty?"
+ exit 1
+fi
+
+receipients=""
+for keyid in $keyids; do
+ receipients="$receipients -r $keyid"
+done
+
+
+"${BASH_SOURCE%/*}/gpg2.sh" --yes --trust-model always --encrypt -a -o "${BASH_SOURCE%/*}/vault-pass.gpg.$$" $receipients
+if [ $? -ne 0 ]; then
+ rm -f "${BASH_SOURCE%/*}/vault-pass.gpg.$$"
+ exit 1
+fi
+mv "${BASH_SOURCE%/*}/vault-pass.gpg.$$" "${BASH_SOURCE%/*}/vault-pass.gpg"
--- /dev/null
+-----BEGIN PGP MESSAGE-----
+
+hQIMA5935MibhBNKARAAmx+MCvfhh0Y9zq6oZvGi6H6zcSlStp/s+xd5C0VS7++k
+U6EOJFFU7oSs4q9P58odpP8VljiTQ6io7YaztyHQfD3n3fzMD/xkWQ0PUQ62mYQe
+SQr9HsDf0f8A5iVZCH1lBtl2xx/6XOWmvs/CSK0xMQ9RSuSI/CNos0IMF2Xh+SlZ
+W720QCrjZw62DLCFP742BwLdPY4JjlNyWKfOMh6xqY+bJn7glSVpsVXyrrKaxJAj
+tydPVqFDbvwDg9m+zgD7oROagWbX5YjyU4KO9Yw+NzKSR0HgY7kX55twM0Yitobo
+c6Yz8/T+iJhuhjoi+4UrJDmGMcH0Xs8R/8noxfK9BlcnzApmEPT5wfdlfLX7iLxl
+K5NdfmaRlDgqsV7tq0YjAKqC5YnnLq/uPzQT6ck2Tp3YhZN1Q/97lI24CkMjg7Kr
+9r2E4UHQY7gaU0/Pj0U4sPUvqePOkHHVXhzp3qlMKr84IpBkeofzPg8mPlVOrcyM
+9npGDZqL5jPfSIXK21zxe2nuBc9KS1jw8/qp7/2cgfE0BI5WM42frKFU4V07xe5v
+X47wQxna5zFtY9TacvLm0T8/MmqWJXycVb36a9PvSE3zrWYaLLBtz/shoqEObBVC
+AbVuU4nHPVWn7iyfJP+QywlX+ANoKYfPCePBJSjGbjOJxLq1Eui0SU2OW7gpfViF
+AgwDr1yutpaCp8sBD/wJPgDIF6Fq3QFUPBkVE4MVN7mzmd1SZ4ujNt/zuddvxrk8
+Y848jSTbA9akcyezVY8WOveY5T64aFnYKBWL9IcD7Ng2K5TFkMWRT5lFNfv/+uDY
+TOo/7Ym0i0uE0mclnr94Vt9pl48WvoNa6G7/kIAP6tLhST0tG5dPJuVCXCppfyfe
+eXPKJ9s/oryo7uWRL3UzoapR2e3JMFYFmc98iJpiLbC87YHRVgSn2MhA0oTGbsIs
+8TVjjfIotp1OZ+vvylDHoVuoPiPAGF8Q4KLI2bsh3cbiOOZzA+XVZAFaeraEZJj3
+Q5bVFkLqPSo8nGeaxxdQnPvhsyRxTykEUfSSeapmksgutKUEHlkkUlV+V8+Zu0Pj
+sSucvTQNoZgJ+XW+vYT/Dc8ipiU5ruVaLaLpRMExri6mZFohzwO/kedVQ9cxSw88
+SxHnM6sXbSZ4BZZ5JX5imRlYgeNlSaXZmdb7byTSVDg+A/UgL0i5ae9J0EKJ4A2n
+JKJcVofml6AKuQZGDsiFFN47RgXOTaW5mTSeiWQQPadbmJcd3o0Nz9itwsBQVWn8
+WphdSKm0BNTXlB7oMQQvUZGW6idDMWvHasRYhEheTw1Q+W10qUEnDrj4gGUxI1/p
+ItBPe8KQwN5hTiOsxGVeelApIm5CZcvRjXkUZBMUS5NGcpRYO8yeQWHvYNzUUoUC
+DAOy63ZNzMZTKQEP/1il8xTU6CQcR3XLck2Z5FWdaw90nPGdpF0ru23r/SJrRcGC
+iRtw6u44vSvpXrb2wJyLes+2l3p7gR9gWvxCKGH2ZxjTiDLGYf0lwJ5Ep050RINU
+YTUDLCVHdtMMtcEImLh5K9jNfs0+ZIkCF3YNK7ffekg3Way8DKvsjSSY0NpSiZJ1
+r7tpov7IIe6Cqt5+/PUK+XG8KolF0cVhVrYyM4SHzW/jQ39gDJ7GLfqxzAUwkG26
+61QZ1hU2X81a3A2qLEeZde7HB0gnl4svrSwk2GALa3cVfBoQYUvOljYQbHbbhlQM
+eQea/ZtV3TVz3rpxT7OBBFRfPMqF5/XX0dVLG9fFYQ1paFQxa2h5ar6ah922N2Ci
+0imjc9IY2b+INyr1p6ZfmXeVTD2Cpah7U4pCtIlH5wiyVs5axUpmR9UhQljuEl6l
+Z8NqhDN6d+1kLHE6sQuvkoVktTXmCy61ofv0lt2PLOtAcLXJJhDBAG/Xqz6e2/eg
+tnYvD5czBRLS7vwr+gHng4CsuKLvYyt1ZYeJtVicb0Fe3b+E6g9B8PeH49tCuH5l
+vAx4d2sScdwJlF3xg51pVxt+7Lp+xeJWqD4hpOKtDBYsMfG1gQnAoXTU1OajFGh6
+Z0Tz8w0D9k7uS+RFH0C0CrS5QSVE0Rn/qW6m8N4H9BeRUW8O75FuZqQQgFDkhQIM
+A3Ktdi0CD6U5AQ/+LKrtN2HYenWwBlAhJvPPeqFJVfewUxOhKDDziiZjm5InUMyO
+WsAie5CNeHI/IfX235ye7+d5TR9TeQjdE3f1CeNIywNGHJW75JONLVEvBjeTy1f/
+qzzVsFD5gwNQnnrp46CO6ggPhJwo3NRnFldRAeLYd47oBoBvCowfh+FD4jycpPLp
+1mewX7qz3VgXCz9FspHvB0OFHBLLLLr8uDNJFJLYWeRdJqebFHO2fhKSOpvkzOOG
+BSU8tpYigbHBmMXt++mm8RYtX3GU1yeQkmgy9w0zTG2HOVJsnSuepCnKDZloyDNP
+4+KTFc1+jrrC6CvQpPDqLB+AOsz7oXaK+d1ae9FjoDbfWISY7z9ThpFc9fdZ7BNn
+zoLa49BEhUeXBU1pEpOqobiiSjxY0itBPW9ZjJp0BtCyxz5e5e0IelqJaQZT7EzW
+2vc/f/D2IR1FOHbYByIfvbq60PjQNqTeNarvp/A45rfQ/HqNURkfV5f3Hx/ySJwc
+2hHKodyHSV7wZ+ob518GaXOGNo5JF+9TjvTcwtRX2mt+Q+0TTZn6gM6ic88USPe1
+90EulwE/FFPHtpRakxM8bCDR7ml1OJi4x+Ecv4sTNPv6cFY00braIhWhp1laW3Fv
+3lK/vD+6WEjC3oeRJxlApE+08W46sBE3KdbUjBb8m0oVbvfgVfzpC+TEg7zSuwE+
+WTahZTTBXusKrH1gtObZZ83yuJ5+dMtj0Krh79gUKOUx7eN5fUrwFbpQ0fVEyjav
+CTt0fAUzcvFrKXm5FoykjRiGJLHGe/QzsojXqVuOsCqXx1B+yhqtr6oKhofhFj35
+u0uiEJNShGZLGPTUqqA+gv1DK3JEw3H4wV/FpS/o/Z1JtQUmFLjI1mc322vjloQr
+PLckuDAFbCkowICYcZnQU2Yk/UuVgEYxlWYCl/pqpnCHbr322fXH0AM=
+=jwUc
+-----END PGP MESSAGE-----
+++ /dev/null
-#!/bin/bash
-
-exec gpg2 --decrypt --batch < "${BASH_SOURCE%/*}/vault-pass.gpg" 2> /dev/null
+++ /dev/null
------BEGIN PGP MESSAGE-----
-
-hQIMA+Qd5U24qffPAQ//d9gulPUkndUq2aen6WpLeyNqmM0EQK+1Vc20e3sKAmQW
-6W1TCt7BIWj13Lmv5D0capuyLXYKrWxGLPazIDcvd6UvBGjvfnCdSecZJDhzQVtH
-ijurbkNjlfnzdVKv6pHRi3NA0/VXyKu4KlpaJxD56qWnB+y+OINESax7Nnbg0Crg
-kwI+/7b56lElBY2e1HFFE71ARsgx9NGuGh3ZLem4qv3uzbdo7PygKijc1udfBmpO
-3K94w3GSI0rahtGkU36JnbIXdqce8cEAtU13ThDXkIPcFtGy4o8B62G1EIB+MgzR
-wWYUJrCx4mZ9k+5EIEO3zjn4wPcOwibVuuxhG+mWVjbtUo5I4EeGn/cklwJ9ERe0
-Q+WeEws4RYiItq0mk0vS+arNUmUqtL7/OCum8kZsqze4bQ9/95GlYNB71Q1GsWoN
-kHeaqJw+koh3BrsQcw8CaUc/XVHXesl9A2feXtQnbd3FQtPSdVgWQ3Fq88XO/T3+
-Rmk+1QIrCg/4j6XGSHRMuHm3V6F/WyuvQOE/G9wZpdbmlJf9BVkCHjH6Iciuslp8
-kzh8YyV6bizghdBfD5AVcYCeLUPBRJ+Dn/PGxJ7HbpWK6t7J9MogFYfoOR0TbO2D
-y03ksCF7tFW1QJfUkd5oCiN/+c/0iWqZ9T6qT71RdbaKRffWcTDJPsHSz4hQP9CF
-AgwDsut2TczGUykBEACNYXA+eM6C9DARNPttNnqMGgOCpwYPLgAHPnv9iYC0KiWV
-fgkE4683cVwOBWgp60i9oqXc6FsHtL1R3nxXmfjNxUBrvRRtqiAZgA0ksL2CC0BJ
-1ePjBwkdS72YRdjBmn666Bg9wmZFyWbns9uLdfI6RdxQoWj0NwK6JIeebGu1HUvY
-s1ZCWOjO6zn5uYayOxQKGTCTJjAe/ydPdP9MUxlenKWbloozwMtfTyIUh4A6dcSc
-M+CzkO7gybsFyktWYQjF+1X/KgFYOfwyflm4amrDGxxi+Xsq0JUeuccvt48+X5J/
-KKuPmRmQqv+Tl0aIGrH+FHWRMcpWvRU+f+GUk3nAPYFgHOAM6IiNzi1T7ScQ+1li
-VoSTShR+UDnL17kV5gxVrT4tYc8/2EO+dyrGeeAGoBobg1Juc4fRWJQsnoLIOIsq
-5I7tX7rwIy5meMu314rYDoV0ZKXG76IgD+fH1tdOkElWhYfwWGU9Fo8cyPtFIFof
-PJGkzgvCaPkEXzn/+dR2/4cKakDy1oZBNck6K6SkEv0Be0GrNQCFUP/3ztCK0dgR
-KeOBu7FHiHn2tHB5yj92bbRvcQjZT0bNvLRilIlhuYvwKgPwGZCjyw5gKSTlKNDz
-45/2CdzubAi0nRuAMxrJiSMGXs53L0oWPsjYaHUNmc8s1ftpxWsVMO5z2ntKjIUC
-DAOvXK62loKnywEP/i2TbiZ7CbTU8IOuMWyfYOMAJ6WBIn+B9MmQ5DRVHejWCspW
-UaPTIQy4jzCNyLjGKm5faSd8dICHxRVxoi/v6brSr8P8XMheooBbUWF+dylC9bFj
-W4F4Np0X56I3itIvy3i5Ga7csgeMHJhQHEHP90cOv2Bm1K4L44SllN0/Us5sHmkN
-67saPVFQRv+wgdU0dOCNoguI2vRw9hNkiRwdBvAZZWykuFBsjQIFYTo9GbFqYRha
-XL2ZfIYRt6lf+k10dQkjGyvD1puMAZ7SFM0Y9RUFDN7dO94EIgDbqkhnWgQHiWj4
-zh2CErQ2x32xqjBtnAI55L0J8f8SW/AdkPPxweW7OTk6Ef3OVBLvAVrm0G+Jb+xn
-BYjFSmC1F2qgjTXUFXrN+oCeXD9bMJKvHpjHawqZGiZqEFOlnxZIH63VfEWGmqa2
-MbTZW31gCT8XWWG7bTcP7SPewZYANVG2M+wGiAz110yOFfKFLivspZZgyGbuR/4j
-0K2Nqk71RZ5tGRIthy+G/p0TenMxZTGy5mGuRiZTTyxbyoN6WpopiMLoH/Nx6Sjd
-PgLYDHkgkY3TooVMEKMBr2Ps/N6ZvbD4up4vUfRojssFT+wuoqOBan3NEuTL/OO0
-XGDB9RYsgnqWGa88Dw0t6byQcPU1hy5f5kQ4/qMnURbDLPnmZAK1RBGW0CNEhQIM
-A5935MibhBNKAQ//QgAHUP1sq2zFWO1+aMDSCt2breoG6puE6SMAW908kAuXTzif
-GPswr7P31qeGEOkBrXI3N/YItmuO+6bcG/KmIOxYXSuX0kgD/POVi2vNs3pMD5/e
-74aiu5IgRF8aP3BpfngvSYNwJMnDB541sWkS4s6FY2ipYe75dxhuWJxPZhCKmH3B
-TPH90qokZCVScLM9pOgCQ1J7xCkeGHvy6NkJ9k+LQVeD/JV1As4M88CNgQ1YDwXs
-hGZuwUBNsjlGZlrWvUONouHwQ0leRuT6yy3QnpCv4yYAJ2icG4xlyY3Zvw0uFO+7
-y8FW6Dzb9SUqxNdw2kBvpbPdyAkJG7nIgVD+aosh+Zh6JrWwK1OrDVHu4gkhKn0z
-dtcYSLSYRQfpbKcrwnR+Up3eFeIs9yJ0hoIanFbjNBeCpr8uXovhO8TQ4Cjj23bu
-xiv1t/g9QLgbsqZ0pXZyp/I8wRxdQ8Hpb7f82Ygx4ySDbEz4YIsi2CbasQpRO01x
-E6vRoh5Pl0VHD7yJKIp+dDRo555/pWMQF2lZuMj5pmlU7cTvg9+wwDljEftSkx8y
-264bNK/ZZRtitkEQMs4Xc9OSTyLv5QNqeAP+pz9etVbaTApbNVc8mhzHrYIPih4e
-4tLnRB8CdOG4r5FaF4tDm7yA257I1rE8COLbikxWtugfaLgrTHI628Z+UUPSvAFT
-DqgwzEEINcDIuksyKhcaamDVVuwkvxjOIeID4pqtNwcfbzpcbWQfKGpA25BNqy4o
-H6IDpj1EyCaPifbO1tVxH7n+Cs/Innyl0WYiuFPL/7a9fHeyhUo44xPSs5B3Iowm
-VCmpLAhr5rHC60gccITT34VOQ9/l/1NItgI6dz5AxUXwzaadEINGwzqIYOK2bqFl
-1eok+Pt8cFZP+FB3F8Nhz5V9xms08lDWf+8XDrgJfAkcuHF7hWV4/SB7
-=1RgH
------END PGP MESSAGE-----