Access to GitHub like a Pro with Ansible-Vault
Now, in the previous articles (part 1, part 2 & part 3), we’ve installed a lot of different tools and programs. Now, there is another problem, your SSH keys, the glue between all your projects and the version control system. Every once and then you lose them, have to recreate new ones or accidentally remove them and your whole ‘Git-world’ falls apart.
In this article, I’ll show you how you can manage your SSH keys via Git, install them correctly via Ansible and never have to worry about access rights to your projects.
tl;dr
In this part, we’ll create two new ssh keys, one for private usage and another one for professional usage. Then we’ll create an ssh config file for managing them locally, encrypt everything and push it to GitHub. We’ll also adjust our Ansible script so that Ansible will also install and set up our SSH keys correctly for future usage.
Ansible-Vault
Ansible, wasn’t that the program we used to install a bunch of stuff? Yes! And now we use it as a Vault? Kind of… Ansible Vault encrypts variables and files so you can protect sensitive content such as passwords or keys rather than leaving it visible as plaintext in playbooks. To use Ansible Vault you need something to encrypt and decrypt.
Let’s have a look at an example, I have a file locally that has some content in it:
Now, if you have Ansible installed (if not, please read the friendly manual), we can easily encrypt this file:
The command we have to use isn’t rocket science, but the command line prompt for a password. We have to enter the same password twice. And you should use something very secret, but you must remember it in order to decrypt the file later!
$ ansible-vault encrypt <FILE_NAME>
If we take a look at the file content after encryption, we see a whole different content:
What we see, is that our file is encrypted. This is done via AES-256 encryption, which is believed to be quantum-resistant. That means that quantum computers are not expected to be able to reduce the attack time enough to be effective if the key sizes are large enough. So, if you were wondering if it is safe, it is!
Oke, looks cool, but what can we do with it?
Well, I had this frustration for a long time, creating those SSH keys every now and then for every source control system. Having them floating around my computer, not knowing where I stored that specific SSH key for any service. And my GitHub account was bloated with keys at that time.
What if… I could manage my SSH keys just like I already do with my dotfiles and programs/tools. Store them somewhere encrypted, and access them via a simple command. Well, today is your lucky day, because we will discover how we can manage that!
Setup New SSH keys
The first thing we’ll (and hopefully last time) do is create new SSH keys.
If you have followed my previous articles(part 1, part 2 and part 3), you already have an Ansible repository. This is the place where we’ll create our new SSH keys with the following commands:
$ cd ~/foo/bar/Ansible
$ mkdir .ssh
$ cd .ssh
$ ssh-keygen
First, the command will prompt for a filename, in my case I’ve created an id_rsa_github, so I’ll use a single SSH key for one Version control system, now if you have multiple accounts, a better naming could be:
id_rsa_<ACCOUNT_NAME>_github
Now that we have a fresh new SSH key, you can copy and paste the .pub file to GitHub for example, so you can work over SSH.
What we’ll do next, is encrypt our SSH keys, so we can store them in our public GitHub repo without worry:
$ ansible-vault encrypt id_rsa_github
$ ansible-vault encrypt id_rsa_github.pub
Setup Ansible Script
Now that we have our SSH keys encrypted and ready to push to our GitHub, there are a few things we need to do.
First, we’ll extend our local.yml file, second create a new Ansible playbook that will take care of the installation of our SSH keys on our local machine
This is the adjusted local.yml file, at the bottom of the file we see an extra task added called ssh.yml, we’ll create that one in a minute. Something we haven’t seen before is the vars variable. In our case, we store two variables, which we can reference later in an Ansible Playbook. We’ve defined the ssh destination file and the ssh folder for this tutorial. Now it is time for the SSH task:
What we see in this file, isn't very exciting or special, most keywords speak for themselves. There is one thing which we haven’t seen before;
{{ <VAR> }}
These are the variables we’ve specified in the local.yml file.
We have tasks, variables and new SSH keys and encrypted these. We should be able to push everything to GitHub and try a command for setting the SSH keys up locally:
$ cd ~/foo/bar/Ansible
$ git add .
$ git commit -m "Add SSH keys and installation to Ansible script"
$ git push
With the following command, we are able to set up the SSH keys locally:
$ ansible-playbook -t ssh local.yml --ask-become-pass --ask-vault-pass
The ask-become-pass flag is known, but the ask-vault-pass is not. This is a way to decrypt your encrypted files via Ansible. Now you should have your SSH key set up and ready for usage on your local machine.
Conclusion
Once again, we are one step closer to a state where we never have to think about our personal computer setup. We’ve created a new SSH key, encrypted it, stored on GitHub and downloaded and decrypted it locally with the usage of Ansible.
We’ve once more leveraged the usage of Ansible, congratulations!
Thank you for reading, and if you want to have a look at my Ansible repository, here is a link. We’ll probably get to something similar to that in the nextArticle. And if not, you should be able to at least create something similar with all the information.