2018년 11월 7일 수요일

[Ansible] ansible-vault로 생성한 암호화 파일을 ansible-vault의 키로 사용할 수 없음

안녕하세요 


앤서블 심화 과정의 강의 중에 발견된 이슈에 대해서 간단하게 요약하고 work-around에 가까운 해결책을 공유합니다. (Andrew님이 알려주신 이슈)
해당 이슈는 앤서블 버전 2.5.0a1 이후로 모두 발견됩니다. 

#1 생성한 AES256 암호화 파일을 ansible-vault에서 볼트 암호화 파일로 인식하지 못하게 하기

#1-1 우선 알고 계시는 방법으로 vault_key를 생성합니다.
[vagrant@ansible-server ~]$ ansible-vault create ~/.ansible/vault_key
New Vault password:
Confirm New Vault password:
0L, 0C written
[vagrant@ansible-server ~]$ cat ~/.ansible/vault_key
$ANSIBLE_VAULT;1.1;AES256
34613235653831373135356463663939353438633731356666363961663338366433613833663235
6632336534323665393132646432633338373738303661610a636564656134356136363833663230
65353539323437636266373933646565613961636136656131346565666237393735303562356330
6261333337356137320a353466656237373837613933613038373637613539363461353061366361
3039

#1-2 여기서 $(달러 기호)를 삭제 합니다.
[vagrant@ansible-server ~]$ cat .ansible/vault_key
ANSIBLE_VAULT;1.1;AES256
34613235653831373135356463663939353438633731356666363961663338366433613833663235
6632336534323665393132646432633338373738303661610a636564656134356136363833663230
65353539323437636266373933646565613961636136656131346565666237393735303562356330
6261333337356137320a353466656237373837613933613038373637613539363461353061366361
3039

#1-3 그런 이후에 는 vault_key를 평문으로 인식하고 진행이 됩니다.
[vagrant@ansible-server ~]$  ansible-vault encrypt ./group_vars/nodes --vault-password-file ~/.ansible/vault_key
Encryption successful
[vagrant@ansible-server ~]$  ansible-vault decrypt ./group_vars/nodes --vault-password-file ~/.ansible/vault_key
Decryption successful


#2 볼트가 아닌 openssl을 이용하여 난수로 작성된 vault_key를 생성합니다.

#2-1 아래의 명령어를 실행하여 vault_key_by_ssl 이라는 vault_key파일을 생성합니다.
[vagrant@ansible-server ~]$ openssl rand -base64 2048 > ~/.ansible/vault_key_by_ssl

#2-2 처음 보는 거니까, 내용을 살펴 봅니다.
[vagrant@ansible-server ~]$ cat ~/.ansible/vault_key_by_ssl
R4kTxBUg3daBqsL9Ouu6Fl9RPOTv8Gpi+w7hFN9Jd+6o+U0sCs4cKqnFnUDYTil3
EgZotHewfSw8Gax/L7dDC7rPb0VNn4xJFikcbEgmTKI8M+3H4hAuNgrf5SnAFT/J
lw50QsGMr+ZhGgcyBoPX9oGBzUV6DRJisk5+jILqD2SBmI2m8zTh/csCg1HUSC8W
IUh1IArHcFDxznoM0ttTG1I7cC1S5Mzdlc8FAGHluZGXXl1L6YjRRLJFoKJerIT9
dpEtiG05jBb2PNdtq4vTWrJRc9tHMt31EJ2aR2rINLdB23gUGM+5Obnhw3uarXnx
DO5YRTnSB2eZX1VmXgFHB47yxFtesexkYA+4qqglM5lsLB6p5jgBSGqcqkyD2QEo
Bud8PaGaege5l3WSQgRYOHSmm6euzwpanuQHx6N0zzJw4TIulyCdaB/rbmoI7mx8
KWNwqryEzaq8shOuZIIlAVqelR0W4Dccngq5744mCsw0+5TRezuq4kR8+UNaQH67
GRhPYzkJCkWmaBCENH4ewtBpTQBbr2ORejzmkPPLhynegGh+jN4tz77M6YkFIC/O
x3Go+BlGyhHQC1g3NVMAX/NqWljf6fAZlRVNz7ss7gWSo65rZFguaC70Gf0/lC1I
sWrxh3GcgoewEva7WgFFJNmG9Gn2HA7uMooIzsqDyhxk9lYRDgezwgfPvv0Zc/lL
k6xTDiNvfgeHEDpXnV3EPTRWkCwsYypvFMgMB3N6SPVOc6CYCedSQY/bmAO/2VUi
HqWJ8uRHTx+4CHzPQO18vm7MaklkUU71eUBZEDeD3PM6Ca/g2avXu7bzcEcAmMec
6hTU378DawmvCsUr1kYCHE66DNT13frTYfhOrg9EFegEnIVeVyXK8F7K8jsCpZd3
verZu/KxP0FtAFXLGazY89ueE8IXP5EaF+keMRUNrN+KPvnLFXG6oN87fpeC5T2q
xUti8YE3XXLFxw7Xl0vkq6kfup+MznwA2+dAr1AylWfhUT8WcdZQxmt5pdSGELLP
EBvUVRqnzzRSn3MDJqxIvtzafdRbVeboQXcYfWpn+gwozXCw+os1pXuqjNpXsbEg
55BriLCcM6S4RRUVEnF3Int+493rVmZ1gejy4k2TxA+3SCYL6vBZOXgH2x9DHXYh
G4uwpf2tBlgRcDGXcxRXXy4cqrLc8lQEurQOdLvUGzA8c6nb4Q4Z1ol1dL8IG36u
vQODSjschz4k0PO0vmbeM9OGe0A8d4N20Tp4HUVKbMBgzw/YNSZnXSIm5MEGl1Zi
/dskJtcK40NkC+RAOyknJSO5eryc1trrZlZa7vSY6WSCp6gt/yPDjafYWQHSViKk
mWTaEvu/ewK6rFCLST2xu6LSHFEpvRuNsrelxMb6r83A5GgTW0LoRQDLN+HL139a
5uKw8nN2QxayKjac0MfSbMaF9XW6GAAGI9b/O26OdQtsgBGDWpCYtAmstBU8fYWD
A2WVgctNaJpwPQfY3UAW/hzPBmj5oY9ONTyu9Zd+YQLc7ZTEgmjfGN5Z5uNtCO/D
xHzLhUJ+e1CJgtR3EWlYciJ3AGyYTZIwNJw39T2TbETTs5TmP2H3awf+RVFfbYxa
j7tbb7x0MZ5w7ROcMjJcWhIqr/yg1LZqfmcK6qK4+39pwR217iZufXbFILWmgb3r
95sfdRsaXBsjadvL2niOju+oY7YEXSds0R0ocr6a41UYtFj2m4qaRacPbuKmzLea
cV/WOTWGFT7ZGTaVFM+yyYpThHEj0alXXUQLAYzppLPMBrWbS4lPun7yKWuYCXAn
SnPXi0/j9AadUu+wQNLq+B+CN2+dcj9/dFK3VoRkiNUvdsroG5yafB+eAgPTkpHb
R8xqVM/jdXgtvSW5ASYXGuC/0YfRNy/xllyaEnq7PMD4kZk7IUb82mP/IOh1jVud
Nvp9182cAAaJ5FwLT+rTTHrMJMsu+zvDq3FeFjnVxrPsQnF+uvVSm7ro6cCP6LAO
wC1MqwxEr9eMdk832CVuwt5sozGOC9pzh15LbwMDhxIrJDMIRDmcue+EKzryu0Gc
gPmKhP6i3Ury7oLToYryIwDG1DXit7VAPswCQZPM4O1Q6m9hU8dwAyJwcp9XVS/9
UG3niB++MXlyfFZsc1Ye/ybPSQkvdWEUGM8dM89BKiBipwclv0KEyXKYAML1x+pa
F6Wx/9gdtws0ccG3yIhJum02ULkLDc4GxGoh27l9yMXec3al8nsXbWZ+LOe6U41a
53qKNtthtxRT+XyGFkZ56G2beG9Yggqe/+TQKd6XHwnBoB/iHXSa1Y9V/R01JNOr
7eMSlfw8hYu63ULnI2Z/7Ji7IyMORFWWlhtcl8EM6A6E559WMad3syPnU0+XzaVI
fru8tZwlfY+EmEGoUOsnxaAdo3Qx16df1PPHGvFw9jfVpnfF3bUHKDoo/3rS0S9M
I87vIAxVgCPvMPTvcmEZc20o95RYrHQBeolVTWA2QzWiiY32xfrK+zlIEjjgF098
51TPXqqZuWNY/2aDvZZgpe3GltEI8WFJq22sVTRy0V8Pd0fP+myaGPv51N0NeLpj
GW95wCIKBroIf+5nfnLT0JKqo2jCQ3VCV/4JRZWol2kJs8LKsvJ7iDJuL0c58vm7
yeKa7Oqli31QR0pYsuFpKJtVLTkGFZnxKPdrykj/ar/TDwSIcX0E2Nx92QQQUk/Z
NLHI9iQ/IPpxqKKOlFaBEgCu9+TuW07LYJyHAqiAXMM=

#2-3 새로 생성한 vault_key인 vault_key_by_ssl을 이용해서 암호화합니다.
[vagrant@ansible-server ~]$  ansible-vault encrypt ./group_vars/nodes --vault-password-file ~/.ansible/vault_key_by_ssl
Encryption successful

#2-4 암호화된 파일을 확인합니다.
[vagrant@ansible-server ~]$ cat ./group_vars/nodes
$ANSIBLE_VAULT;1.1;AES256
38323237383235633039383566343232336237326565633738393662383837316134636639373732
6463626234326530633032323437303638663362643930350a323033636166646334656362343361
65336132366366633936323230363866316135613764336339333830393134356532663662363965
3166653161386136330a313232666439343536393932343730366334666235343738306630303534
35343637306238376362396563383034643564313431653834613938646464663332

#2-5 복호화도 해봅니다.
[vagrant@ansible-server ~]$  ansible-vault decrypt ./group_vars/nodes --vault-password-file ~/.ansible/vault_key_by_ssl
Decryption successful

혹시 비슷한 이슈가 있다면, 위의 방법이 도움이 되시길 바랍니다.
조훈 드림. 

댓글 없음:

댓글 쓰기