Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does ansible transfer files securely?

Tags:

encryption

ansible

file-transfer

ansible-vault

I'm using Ansible 2.2 to manage some cloud servers from my laptop. I want to transfer an OpenSSL private key to a specific location on one of the servers, to be used by nginx for TLS termination. Naturally, this is a file that should be kept secret, so I've encrypted it using Ansible Vault. But Vault only protects a file on-disk on the Control Machine. It doesn't come into play when transferring data from the Control Machine to a Managed Node.

I want to be sure that the private key is not compromised in transit by someone monitoring network traffic. There's no specific mention of what I'm looking for that I can see in the docs for the copy module. As far as I know, all of my communication with the managed nodes is done via SSH. Is that a safe assumption? Does it include file transfers?

like image 502
izrik Avatar asked Sep 20 '17 03:09

izrik

2 Answers

You're right, all communication with the managed node is securely done via ssh. Your vault is decrypted on the controller, the plaintext private key is sent through a secure ssh connection and dropped on your target node.

The plaintext private key may become unsecure on your target node, depending on who can login, ownerships, group memberships, access permissions and so on. It's up to you to configure those securely.

like image 112
René Pijl Avatar answered Sep 17 '22 04:09

René Pijl

The answer is it depends on the type of connection.

There's an Ansible copy plugin which defers to the connection. The source code for the plugin is here:

https://github.com/ansible/ansible/blob/bc66faa328b1413646ec249cd2753de5e09f1a35/lib/ansible/plugins/action/copy.py

This defers copies to ActionBase._transfer_file which then defers to Connection.put_file.

There are many different implementations of connections, some of which are secure and some are not. If you're using an SSH connection then it uses either scp or sftp to do the actual copy and is secure.

This can be seen in the ssh source here:

https://github.com/ansible/ansible/blob/442af3744ebd60c7ffcaae22b61fb762ccc7c425/lib/ansible/plugins/connection/ssh.py#L954

Which delegates put_file to _file_transport_command which then can use scp, sftp, "smart", or pipes. Smart detects which of the other three is best to use.

Note: There's an Ansible copy module which only copies files locally and has no need for secure copy. That's what my previous answer erroneously pointed to and so I deleted it.

like image 22
Samuel Neff Avatar answered Sep 17 '22 04:09

Samuel Neff
Sign in to Comment

Related questions

How to write encrypted data to a text file?
System.Security.Cryptography.CryptographicException: Not enough storage is available to process this command
Encrypting files with SJCL client-side
Python AES decryption
CryptoJs's decrypt method returns an empty string
Encryption (mode and padding)
Enigma replica not yielding expected result
How to export AES key derived using CryptoAPI
Ruby on Rails: How can I get all sessions data from Redis on server side?
Two way hashing JSON String in JavaScript for use in URL
Encrypt and Decrypt a string to fixed length
Strange DES behavior - decryption is successful using different keys
check if file is a valid pgp encrypted file
DynamoDB: can we use encryption and cross-region replication together?
Kerberos aes-256 encryption not working
AES encryption on large files
How can I decrypt a password hash in PHP?
How can I use bcrypt/scrypt on appengine for Python?
Symmetric Encryption (AES): Is saving the IV and Salt alongside the encrypted data safe and proper?
shorter php cipher than md5?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!