Protect vault secret with GPG

Encrypting the vault password with GPG protects the key when stored on disk and allows it to be accessed non-interactively, as long as the GnuPG agent is set up correctly.
2018-01-29 14:53:57 -06:00 · 2018-01-29 14:53:57 -06:00 · 20fb830eda
parent 940ea5efb2
commit 20fb830eda
3 changed files with 5 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
+/.vault-secret.gpg
 .fact-cache
--- a/.vault-secret.sh
+++ b/.vault-secret.sh
@ -0,0 +1,2 @@
+#!/bin/sh
+exec gpg --quiet --batch --decrypt "${0%.sh}.gpg"
--- a/ansible.cfg
+++ b/ansible.cfg
@ -6,3 +6,5 @@ inventory = hosts
 gathering = smart
 fact_caching = jsonfile
 fact_caching_connection = .fact-cache
+
+vault_password_file = .vault-secret.sh