Protect vault secret with GPG

Encrypting the vault password with GPG protects the key when stored on disk and allows it to be accessed non-interactively, as long as the GnuPG agent is set up correctly.
2018-01-29 14:53:57 -06:00 · 2018-01-29 14:53:57 -06:00 · 20fb830eda
parent 940ea5efb2
commit 20fb830eda
3 changed files with 5 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 /.vault-secret.gpg
 .fact-cache
--- a/.vault-secret.sh
+++ b/.vault-secret.sh
@ -0,0 +1,2 @@
 #!/bin/sh
 exec gpg --quiet --batch --decrypt "${0%.sh}.gpg"
--- a/ansible.cfg
+++ b/ansible.cfg
@ -6,3 +6,5 @@ inventory = hosts
 gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = .fact-cache
 vault_password_file = .vault-secret.sh
`@ -1 +1,2 @@`
		`/.vault-secret.gpg`
	`.fact-cache`	`.fact-cache`
		`@ -0,0 +1,2 @@`
							`#!/bin/sh`
							`exec gpg --quiet --batch --decrypt "${0%.sh}.gpg"`