Developer Productivity

Store SSH & Auth Keys with Ansible Vault



Developer Productivity

Check out a free preview of the full Developer Productivity course

The "Store SSH & Auth Keys with Ansible Vault" Lesson is part of the full, Developer Productivity course featured in this preview video. Here's what you'd learn in this lesson:

ThePrimeagen demonstrates using Ansible Vault to encrypt and decrypt files with AES256 encryption to allow the ability to securely store and use SSH and Auth keys. Student's questions regarding the safety of storing these files publicly are covered in this segment.


Transcript from the "Store SSH & Auth Keys with Ansible Vault" Lesson

>> So I just showed you how to break up a bunch of those tasks. But at this point ansible isn't that useful, right? A lot of you are probably looking at it going yeah, that's okay. Maybe I wanna use my own custom script. I don't have to learn YAML I don't have to mess with all this stuff.

Yeah, it looks a little convenient those tags great and all but perhaps it's not for me, maybe it's a little too complicated. Well, hold on, just hold on there for a second. Okay, can we just put a pin in it SSH? Remember I brought this up intentionally. I did say SSH was a part of getting your computer up and running.

And this part is just pretty awful, right? And so SSH keys, they're the worst thing ever. They're the best thing ever. They allow you to have really easy access onto systems. But you either have to generate a new one every time you get a computer and then go to GitHub.

Go to stash, go to Bitbucket. Go to wherever you have to go get lab and re put them all in and then wherever else you have to go really annoying. Well Ansible comes with something called Ansible vault. Now this thing is pretty darn awesome. So I'm gonna give you a little quick example.

Okay, so let's come in here. Let's create a file, alright. And let's call this one. Wow I already have a test file what's in here? My goodness, hello front end masters. Look at this we already have a test file, how beautiful is this? So I'm gonna take this thing down and I'm gonna run Ansible.

Ansible vault and then I'm gonna encrypt and I'm gonna choose test file, right? It's gonna say hey give me a password. So I'm gonna type in a super-secret password and then I'm gonna do it again. And that's that. It's gonna say encryption successful. So let's cut out the task file there we go.

Now this is what the test file looks like, I could commit this to a public repo, AES 256 is said to be likely quantum secure. So at least for the next while you're gonna be safe using this type of encryption It seems pretty good. And you can store it on public repose.

There you go It's out there, everything's fine. And if I wanted to get out the value, I could do Ansible vault, decrypt, and then oop, don't wanna put that one out there and then do test file. And I could decrypt the test file, put in my super secret password.

And now when I cut out my test file, what do I see? Hello, front end masters. So it's a two way encryption. That works really nicely, but you're probably asking yourself, okay, that's neat. And now I don't have to store my SSH keys in my email or on a private server, I can actually do that.

But still, that's kind of manual right? I'd have to decrypt them. Move them into the correct location. I don't wanna do that, right? I don't wanna do I don't wanna be a part of any of that. You're right. You don't wanna do that. And you don't have to do that.

So I've included the code, but I'm not gonna kind of I'm only gonna just lightly go over the code. Cuz it's really, there's not, I looked it up on the internet, I cut I pasted it, it worked first try, it was beautiful. I defined a couple vars, where my current SSH key is, where I want to install it.

Some basic information about it like hey, I want to create a directory with the correct permissions safe 700 right? I want to be able to copy my source to my destination. I've also tagged it with DOT files and SSH. So if I install my DOT files, I also need to install these tasks as well.

I need to have my SSH keys up and running for my DOT files, to be properly running. I do a bunch of this other stuff. Set my authorized key so that it works so I can have both. So I'm using it from here on out. If I do a get operation, it's gonna be ensured to be working.

And of course I can do something that looks like this. I can go and I can clone down a public repo and then update my sub modules which are private. And it will use my SSH key that I just got done decrypting. So let me show you kind of what that looks like.

Here's effectively the exact thing we will be executing. So I'm gonna go like this, I'm gonna rerun a new Docker and I'm gonna just use my actual my actual ansible thing I've been using. So here's my Ansible. So I'm gonna go Ansible playbook and I'm gonna run dot files.

That's my tag for all my dot files. Cause I want things to be up and running and then I'm gonna also do ask, vault pass, right. And then on top of that, I'm gonna just specify local ynl vault. Now I'm going to put in my very secret passcode don't look at it too much.

There we go. And there we go. It's gonna go through it's gonna ensure that ssh is installed correctly. It's gonna go through install My Zsh all that. Make sure vim plug is there, it's gonna install that stows there, it's gonna clone down my dog file repository. Not only that, but it's gonna recursively get everything else with it.

It's gonna install my dog files, you don't know what to do as yet. Then it's gonna get a bunch of my personal projects that I need, and boom, it's done. Now I'm gonna open up nvm it's gonna have some errors because I've yet to figure out this one, how to make this thing work but then I just got to go plug install.

And once it goes through and does all of this. I blah blah blah blah blah. There we go. I'll look how beautiful that is everything is wonderful. There we go. And I can quit, quit when I reopen up then it's now in the way I would like it all my keyboard shortcuts work.

I can do everything that I wanted to do everything just works as is because now my vins up and running and all my dot files have been there and they are private with an SSH key. Now for me, this was a huge thing that made me really excited.

Cuz I absolutely just hated how I've handled SSH keys in the past. This is awesome. Now it just works. And I can have them stored in a place where I'm not going to lose them, right? And that's a big thing for me is that I don't want to have to regenerate them and I don't wanna lose them.

And I don't want them just on someplace that can get hacked. I want them secure. And I feel like this was one of the best solutions I've seen out there where I can get a system up and running, even with those private keys so quick. And I feel like this is one of the biggest selling points of Ansible, but I wanna kind of think about it for a second.

Besides for SSH keys what else could we store with Ansible vault? Well, I feel like everybody here probably knows what this symbol is right? How many of you are locked out of binance right now because you have lost your password, and you don't have your backup codes for binance right?

My goodness you can't get your cryptocurrencies. You're millions of dogecoin just sitting there being wasted away right now. It's because you don't have a way to store your private information easily. So something I've been doing is I've actually been going through my oauth codes and here we go.

Here's my discord backup codes right? All right, so I get locked out of this code, I have my backup codes already here ready to rock, I don't even have to worry about it. For me this was just like a huge thing. Cuz this its gonna save me 100 folder.

And so now not only do I have all my installation and everything, I also have all the keys to the kingdom in case things break. In case I lose my phone, all that I just have to get to a computer and have Ansible installed and I can get the backup codes back out.

For me this was just awesome. For me, this is just like such a selling point. That's why this talk I felt like this section went from like the most boring section to the most awesome section because it's just like, I've been screwed by this so many times in my lifetime and, I don't have to have it anymore.

And so for me that was awesome. And so the next question you're probably asking is how did you just dot file that easy? All of your dot files and all those locations? That had to be pretty hard, right. No, it's not all that bad. Let's keep on going with this computer.

Now remember section one, I've always labeled it as the 0 to 60. The section one part of this talk, it's a bit more meaty and it doesn't have as many flashy items. But these are things that are just gonna save you so much dang time when you need it.

If you have a computer at home and at work, you can keep them in sync so easily. We have a question.
>> Several people asking if you store this in your public GitHub or where you can store it?
>> So when you have something vaulted like I said Aes 256 is considered potentially Aes 256 is it quantum secure.

You always got to be careful because that they believed is to be quantum resistant. But so there is some risk in the sense that if we make huge leaps and bounds over the next couple years in quantum technology your public repos with these encrypted keys could theoretically be decrypted at some rate that is achievable within the lifetime, right?

So that is, there is danger to it but if you store these keys vaulted if you aren't, if they're not vaulted, I mean you're just storing your RSA key publicly, right? That's your fault. Not my fault, but you should be safe to do that I know people that store their stuff publicly, I store my stuff publicly.

Just make sure you have a password that's good enough strong enough, that you're not gonna actually goof it up. Right, that's the big thing. But ultimately in the end, you need to choose your own risk, right? I wouldn't necessarily do it if you I mean, if you feel scared, you probably maybe you shouldn't do it, you can do it at least on a private repo.

But nonetheless, at least know that AS is quantum resistant, you can't break it with standard machinery. So it's fairly safe. People we use this for security pretty regularly and a lot of companies rely on this security now. I obviously make mine public, because I just simply don't I want to be able to start a computer with nothing.

And so I just make everything public, everything vaulted. So you can see all my vaulted items out there. Now if someone somehow got my pass code, then yeah, it would be broken, but there's always a point of failure. It's just where's that point of failure?

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now