Add saving private key ansible-vault encrypted

[agowa]

SUMMARY

Enable community.crypto.openssl_privatekey to save the private key using ansible-vault encryption.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

community.crypto.openssl_privatekey

ADDITIONAL INFORMATION

My current usage may be a bit unusual but what I was trying to do was create a task within the roll that generates the private key for an internal CA to sign stuff but store that private key within the playbook on the controller. Aka. If a private key does not exist within a specific variable name it'll create one and add an additional yaml file to the playbook that contains said variable with the newly generated private key so that it'll be persistent for future runs but still allow the playbook to be a template for multiple similar projects (It doesn't have to be a yaml file and a variable directly, just an ansible-vault encrypted file/asset would already be enough).

Also being able to have the module store the private key using ansible-vault encryption could be quite useful for a bunch of other usages as well as it is may more secure than just being able to secure it using a passphrase.

[felixfontein]

openssl_privatekey is a module, not an action plugin, so it has no access to Ansible Vault.

There are very few action plugins which support using Ansible Vault, and all I'm aware of only allow to read Vault encrypted stuff. (The only Ansible plugin I'm aware of that encrypts is the ansible.builtin.vault filter: https://docs.ansible.com/ansible/devel/collections/ansible/builtin/vault_filter.html)

To implement what you want to do, you should use the community.crypto.openssl_privatekey_pipe module together with the ansible.builtin.vault filter (to write the key if it was (re-)generated by the community.crypto.openssl_privatekey_pipe module). (You probably should combine the vault filter with the copy or template module to write its result to a file.)

The openssl_privatekey_pipe examples (https://docs.ansible.com/ansible/devel/collections/community/crypto/openssl_privatekey_pipe_module.html#examples) shows how to combine the module with community.sops to (re-)generate a SOPS encrypted key, if necessary. Combining it with Ansible Vault should go similarly. (If you figure out how to combine them you could add another example to the module, I'm sure this will be useful for other users as well.)

[agowa]

Hmm, that could work. It's a bit more effort to not have it overwritten but should work.

But just a dumb thought, just adding ansible-vault as an optional dependency for this feature wouldn't work? So that the vault encryption isn't done on the controller but on the target (which then may be delegated to e.g. localhost or to a specific CA-VM)?
My main goal is to have at-rest encryption...

[felixfontein]

But just a dumb thought, just adding ansible-vault as an optional dependency for this feature wouldn't work? So that the vault encryption isn't done on the controller but on the target (which then may be delegated to e.g. localhost or to a specific CA-VM)? My main goal is to have at-rest encryption...

On the controller you cannot access the parts of ansible-core that handle vault, and you also don't have access to the vault password used by the controller.