Ansible vault encrypts files, and it should encrypt values instead. #14721
Labels
affects_2.2
This issue/PR affects Ansible v2.2
affects_2.3
This issue/PR affects Ansible v2.3
feature
This issue/PR relates to a feature request.
needs_info
This issue requires further information. Please answer any outstanding questions.
needs_template
This issue/PR has an incomplete description. Please fill in the proposed template correctly.
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
Issue Type: - Feature Idea
Ansible Version: All versions
Ansible Configuration: N/A
Environment: N/A
Summary: N/A
Ansible vault encrypts files. It should instead encrypt values in key/value pairs, within an overall yml structure.
By encrypting values in key/value pairs, this makes the secret files readable, understandable, searchable, they maintain their data structure in a readable format which makes them (most importantly) git-diffable, whilst still keeping secrets safe. There are so many advantages to the encrypting by value approach.
In the puppet world, hiera-gpg did the same, and hiera-eyaml then took over with value encryption instead. Now most people use hiera-eyaml because this approach is far more user-friendly.
I believe chef encrypted data bags also used the encrypt-by-value approach.
The text was updated successfully, but these errors were encountered: