Category: open source

Ansible Vault for an open source project: adventures in simplified indirection

Published on by paranoidmike1 Comment

“How can we publish our server configuration scripts as open source code without exposing our secrets to the world?”

It seemed like a simple enough mission. There are untold numbers of open source projects publishing directly to github.com; most large projects have secrets of one form or another. Someone must have figured out a pattern for keeping the secrets *near* the code without actually publishing them (or a key leading to them) as plaintext *in* the code, yes?

However, a cursory examination of tutorials on Ansible Vault left me with an uneasy feeling. It appears that a typical pattern for this kind of setup is to partition your secrets as variables in an Ansible Role, encrypt the variables, and unlock them at runtime with reference to a password file (~/.vault_pass.txt) [or an interactive prompt at each Ansible run *shudder*]. The encrypted content is available as an AES256 blob, and the password file… well, here’s where I get the heebie-jeebies:

  1. While AES256 is a solid algorithm, it still feels…weird to publish such files to the WORLD. Distributed password cracking is quite a thing; how ridiculous of a password would we need to have to withstand an army of bots grinding away at a static password, used to unlock the encrypted secrets? Certainly not a password that anyone would feel comfortable typing by hand every time it’s prompted.
  2. Password files need to be managed, stored, backed up and distributed/distributable among project participants. Have you ever seen the docs for PGP re: handling the master passphrase? Last time I remember looking with a friend, he showed me four places where the docs said “DON’T FORGET THE PASSPHRASE”. [Worst case, what happens if the project lead gets hit by a bus?]

I guess I was expecting some kind of secured, daemon-based query-and-response RPC server, the way Jan-Piet Mens envisioned here.

Challenges

  • We have a distributed, all-volunteer team – hit-by-a-bus scenarios must be part of the plan
  • (AFAIK) We have no permanent “off-the-grid” servers – no place to stash a secret that isn’t itself backed up on the Internet – so there will have to be at least periodic bootstrapping, and multiple locations where the vault password will live

Concerns re: Lifecycle of Ansible Vault secrets:

  1. Who should be in possession of the master secret? Can this be abstracted or does anyone using it have to know its value?
  2. What about editing encrypted files? Do you have to decrypt them each time and re-encrypt, or does “ansible-vault edit” hand-wave all that for you?
    • Answer: no, “ansible-vault edit” doesn’t persist the decrypted contents to disk, just sends them to your editor and transparently re-encrypts on save.
  3. Does Ansible Vault use per-file AES keys or a single AES key for all operations with the same password (that is, is the vault password a seed for the key or does it encrypt the key)?
    • Answer: not confirmed, but perusing the source code and the docs never mention per-file encryption, and the encrypted contents do not appear to store an encrypted AES key, so it looks like one AES key per vault password.
  4. Where to store the vault password if you want to integrate it into a CD pipeline?
    • Answer: –vault-password-file ~/.vault_pass.txt OR EVEN –vault-password-file ~/.vault_pass.py, where the script sends the password to stdout]
  5. Does anyone have a viable scheme that doesn’t require a privileged operator to be present during every deployment (–ask-vault-pass)?
    • i.e. doesn’t that mean you’re in danger of including ~/.vault_pass.txt in your git commit at some point? If not, where does that secret live?
  6. If you incorporate LastPass into your workflow to keep a protected copy of the vault password, can *that* be incorporated into the CD pipeline somehow?
  7. Are there any prominent OSS projects that have published their infrastructure and used Ansible Vault to publish encrypted versions of their secrets?

Based on my reading of the docs and blogs, it seems like this is the proferred solution for maximum automation and maintainability:

  • Divvy up all your secrets as variables and use pseudo-leaf indirection (var files referencing prefixed variables in a separate file) as documented here.
  • Encrypt the leaf-node file(s) using a super-complex vault password
  • Store the vault password in ~/.vault_pass.txt
  • Call all ansible and ansible-playbook commands using the –vault-password-file option
  • Smart: wire up a pre-commit step in git to make sure the right files are always encrypted as documented here.
  • Backup the vault password in a password manager like LastPass (so that only necessary participants get access to that section)
  • Manually deploy the ,vault_pass.txt file to your Jenkins server or other CI/CD master and give no one else access to that server/root/file.
  • Limit the number of individuals who need to edit the encrypted file(s), and make sure they list.vault_pass.txt in their .gitignore file.

P.S. Next up – look into the use of Hashicorp’s Vault project.

Reading List

Ansible Vault Docs:
http://docs.ansible.com/ansible/playbooks_vault.html

This is an incredibly useful article of good practices for using Ansible (and Ansible Vault) in a reasonably productive way:
https://www.reinteractive.net/posts/167-ansible-real-life-good-practices

Status and failure of CacheMyWork development

Published on by paranoidmike1 Comment

Every month or so I get an email like the following:

Hi, Love your app CacheMyWork. Left some suggestions for improvement on your website a while ago. Any chance you’ll release an updated version with more functionality any time soon? Seems to my it has huge potential once it’s updated.

I get this kind of email – wondering when I’ll finish the app, asking about status, wondering why it seems incomplete or why I haven’t integrated [easy fix “X”] – for only one of the open source projects I ever released: http://CacheMyWork.codeplex.com.

Every time I get one of these, I feel like a jerk for not finishing (or continuing) what I started, and I realize that if I was just a better coder, I’d have a lot of happy people out there.

I could never get my head around the databinding that is necessary to connect the WPF front end i built for the “version 2” of my app to the well-formed, totally functional app-finding algorithm I built literally years ago.

I feel like I’m disappointing a lot of people by not getting this back underway, but I really don’t have a clue how to fix the damned thing. I think my failure to maintain/improve this project is one reason why I’m giving up on my dream to ever be a professional coder.

I swear something must be wrong with my brain – every time I try to re-learn databinding concepts for .NET they look like they’re pretty simple for the author, but when I try to apply the ideas to my code, it never seems to work. I’ve coded three different data classes, I’ve tried every combination of parameters in the binding (both the XAML and the code-behind) I could find, but at best I get code parameters in the UI – never anything that hints that the bound data is leaking through (even though I can clearly see the data in the data class when I set breakpoints in the debugger). It’s like I’m not “getting” something about how this is supposed to work – it reminds me of how I was a week or two behind in introductory calculus class, when my brain couldn’t visualize what it was we were manipulating with those damned equations. (I finally got the calculus, though I think by now I’d have to start all over again.)

What would you do in this situation? I’d really like to get this going again – at least make good on the unfinished “new” release, and give myself some closure on that chapter of my geek life.

"Go/No-Go" Decisions on MyPicasaPictures, Attensa Sync to Google Reader, W2MW++

Published on by paranoidmike3 Comments

I’ve done a lot of investigatory work in the last few lunar cycles of different development projects I’d dreamed up.  However, after the investigation and the internal decision making was completed, I didn’t do a good job of “closing the loop” with any of you who have wondered “what happened all those projects?”.

I haven’t thought much about the royal “you” in this work — I’ve been sharing the steps and findings, but recently I started to wonder what people would think in the future if they happened to search on something that led them to one of these projects’ articles.  I’d feel pretty frustrated trying to find out where these things led (if anywhere) and where (if anywhere) there might be code that came out of these efforts.

Well then, it’s time to close the loop on these — at least, as much as I am “decided” on any of these so far.  That said, I’m never committed to any particular decision like this if any new evidence surfaces in the future to challenge my assumptions.  So if anyone is interested in picking up where I left off on any of this, drop me a line to let me know (I’m always interested in this kind of experimental work), and if you’d like to bounce some ideas off me, or see if I’d be interested in participating, I’ll always be open to such inquiries.

MyPicasaPictures: No-Go

Bottom line: while the effort to understand the VMC development environment was instructional and probably honed my ability to figure out what to look for in future explorations, my overall impression of MCML is that it’s just too damned hard for amount of value I might derive from it.

That, plus the chronic and unresolved stability issues I’m seeing with Vista Media Center (exacerbated by the merciless complaints and teasing I receive from my wife, who keeps saying “The XP box was much more stable, wasn’t it?”) have pretty much convinced me to pave the box, downgrade to Windows XP and to give Beyond TV a try.  [Their SDKs and more open, flexible architecture look like the perfect place to invest .NET development efforts, and the customer satisfaction with Beyond TV seems far superior to Windows Media Center, at least based on my initial research.]

Attensa Sync to Google Reader: No-Go

I had already decided to move from Attensa for Outlook to NewsGator Inbox, and then a few weeks ago NewsGator announced that their previously $30 Outlook client would henceforth be available for FREE to any and all concerned.

While there was no conversion possible from Attensa to NewsGator (well, I could import the OPML, but I couldn’t sync the “read/unread” status of all my articles, nor transparently migrate old articles to the new folder structure), everything else about this has been a positive experience.  I’m totally addicted to the NewsGator Mobile Reader for iPhone, and the fact that it syncs with my Outlook “read/unread” status is just awesome.  Congrats, NewsGator!

Attensa, I wish you luck in trying to survive the competitive pressures from NewsGator.  If I didn’t know better, I’d guess this is the beginning of the decline for Attensa, even though I think their Outlook client is superior to the current NewsGator Inbox offering.

W2MW++: Undecided

When I first read about the “export to MediaWiki” capability in OpenOffice Writer 2.3, I quickly concluded that any work I or the rest of the community had done for an Office add-in would become a moot point.  [Amusing but not-entirely-inaccurate Spoonerism: my wife knew a guy who insisted that the term was “a mute point”.]

However, after using Writer 2.3 to convert a few relatively simple Word 2003 documents to MediaWiki format, I realize that they still have a long way to go to preserve real fidelity of layout and formatting in Word documents.  I have faith that they’ll get there, and that eventually Writer’s integrated engine will become the translation engine for .DOC & .DOCX, but I now feel like there’s a significant unmet need that the work I’ve invested so far in W2MW++ could still address, and that that unmet need will exist for quite a while yet.

That said, there’s one thing that’s been bugging me for a few months now: the name.  WordToMediaWikiPlusPlus is a clever extension of the Word2MediaWikiPlus project, and it makes obvious the heritage of W2MW++, but it makes it sound like the project is more “hardcore” than it really is.  If I had my druthers, I’d rename the project “Word2MediaWiki.NET” (W2MW.NET), to make it clearer that the project is based in .NET code, not C++.  I’d hate to think anyone would be disappointed by the fact that it’s written in one of these “shiny new” languages — there’s something more “honest” or “obvious” about using the “.NET” suffix instead.

Now all I have to do is figure out how to Rename all the dozens of “++” references throughout the project AND figure out how to get a CodePlex project renamed.  [THAT should be fun :)]