Ansible is configured to use GPG to share secrets among different users. This
allows for the passwords to be stored securely inside a GitHub repo.
Ansible has it's own vault feature accessible through the ansible-vault
command. This command will encrypt a variable file with a password. But, it is
allowed to be used almost seamlessly inside the Ansible Playbooks. The next step
is sharing the password that Ansible Vault will use to access the variable file.
There is a file located inside the ./bin/ folder that is GPG encrypted with
the public keys of all allowed users. This allows users with the corresponding
private key to decrypt the file and access the vault. GPG uses public/private
key encryption which allows for this setup to work properly.
This has to be done on a machine that has access to all the GPG public keys and
can DECRYPT the vault. It is recommend to save them in the git repo to make this
process easier in the future.
Check if the new user has a gpg key:
gpg --list-secret-keys
If you need to generate a new GPG key, follow the instructions below. If there
is already a key, follow the instructions under 'Export a GPG Key'
If there is nothing in the output, then we need to create a new key:
gpg --full-generate-key
Select the key ID for use later. Copy this value.
Now export that key to a file:
gpg --export-secret-key -a <KEY ID> > private.key
Copy the key that you just exported to the machine that you want to add the key
to. Now, import that key into gpg agent on the new machine:
gpg --import <key>
Now, import all public keys of users found in the bin folder that need to
access the vault by using the command:
gpg --import <key>
Once all the keys of wanted users are imported, decrypt the vault file:
./bin/gpg-wrapper > ./bin/vault.passwd
Now re-encrypt the vault with all recipients:
gpg --encrypt --recipient oparkins@gmail.com --recipient denis.cohen@gmail.com vault.passwd
Now remove the cleartext file:
rm vault.passwd
And recommit the changes:
git add ./bin/vault.passwd.gpg
git commit -m "Updated vault with different recipients"