I'm writing an Ansible playbook and role that will be used in various envs, both WAN and LAN.
In my role I have a default credentials yaml file which contains passwords using Ansible Vault in-line encryption:
default_username_for_something: "the_username"
default_password_for_something: !vault |
$ANSIBLE_VAULT;1.2;AES256;dev
30613233633461343837653833666333643061636561303338373661313838333565653635353162
3263363434623733343538653462613064333634333464660a663633623939393439316636633863
61636237636537333938306331383339353265363239643939666639386530626330633337633833
6664656334373166630a363736393262666465663432613932613036303963343263623137386239
6330
This approach works great when working in my own env, but not so when others try to use my role - because they do not have access to my Ansible Vault, they do not have these secret password values.
What is a way I could encrypt my passwords in this default credentials file WITHOUT using Ansible Vault? It doesn't have to be the most secure thing in the world - just a simple mechanism that would prevent the password from appearing as plaintext before and after a run of the role.
Thanks in advance!
Related
According to the jetty docs: https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-password if the keystore is password protected, I need to define that password in a configuration property in start.ini . The problem I'm running into is that I'm building that config from a script as part of the deployment process. If I'm going to be storing the password in a script, I need some way to encrypt it, otherwise it defeats the purpose of having a password in the first place.
Does anyone know if this is possible? The best I could find is obfuscation (OBF) which isn't much better than plain text from a security perspective. If not, how do I keep the keystore password secure?
The Cloud Composer doesn't support SMTP password storage in environment, according to the tutorial we can specify a command return SMTP password, I have tried bash command to export env var from airflow.cfg but failed to store password in airflow.cfg.
Our Gsuit credential is stored in LastPass, so the ideal way is to connect composer with lastpass to retrieve LDAP credential. Some applicable solution I can think of right now: 1) move credential from LastPass to Vault, enable vault in composer via ssh and use vault kv get airflow/connections/smtp_default in composer smtp_password_cmd; 2) create connections in airflow with LastPass and retrieve with airflow.hooks.base in code base (might need excessive config for security reason) 3) easiest way, hide hardcoded gmail password somewhere (not sure where thou)
Can someone point out a direction how to retrieve LDAP credential from third-party storage ( we don't want to use google secret at this moment) in cloud composer?
You can use existing secrets backend or add your own custom secret backend if none of the secret backends is good for you. The existing backends you can use are vault, Google secrets, Amazon secrets, but rolling your own backend is super simple if none of the existing ones suit you.
https://airflow.apache.org/docs/apache-airflow/2.2.0/security/secrets/secrets-backend/index.html
In case of SMTP you need to define a connection (any type - http will do) which you have to specify via connection id (and the connection should have user/password for SMTP)
I am writing a python script that sends a get request to a router. The problem is that the user and password are exposed to all in the script. I have seen multiple methods for dealing with this problem(using environment variables, reading credentials from a file) but these methods have not satisfied my needs. I would like that only a local admin user could have access to the file or variables that hold the user/pass values.
So I solved this problem by encrypting my credentials with a permanent fernet key using the cryptography library. The permanent key is in a file in the same directory as the main code as well as the encrypted credentials.
Thanks for the suggestions.
We have Artifactory OSS that currently use the default DB and we want to move to MS-SQL. According to the regular links - we need to write the MSSQL password in clear text in the db.properties file.
Can the password be encrypted somehow, so the Artifactory will know how to decrypt and use it
You should be able to activate encryption using the REST API. See the documented API.
This should create an encryption key and apply it on the db.properties where the username and password are stored.
I hope this helps.
What I found was that after switching to MS-SQL and starting Artifactory- Artifactory has encrypted the password.
In the admin->Security->Security Configuration there is a section for Password encryption that you can choose to encrypt all password in configuration files
I have a Windows batch file which runs periodically to update data on my MySQL database. I now want to make the batch file secure so that no-one can see the password used to connect to the database. I have thought of two potential solutions:
Encrypt the password in the batch file
Encrypt the entire file.
Id prefer to go with option 1. Is there a quick method to encrypt a password which can be used in a batch file?
Only encrypting the password just moves the problem to how you secure the decryption key.
If you're on NTFS you should secure the whole file instead. On the file properties encryption is accessed by the Advanced... button under Attributes, and access controls are on the Security tab.