Ansible With SOPS - Secret Handling On Ghost Level

Ansible With SOPS

SOPS: Secrets OPerationS - A silent tool for Ghost Operators. Silent Architects.

Ansible Vault safeguards your data.

  • The team grows.
  • The data is more complex.
  • Encrypted files are too much noise.

SOPS restores the signal.

Get Your New Blade

Download the SOPS Linux binary from Github.
Verify the binary with SHA256 checksum.
Move it to the $PATH.

Create or import your GPG keys.

Sharpen The Blade

Configure SOPS to use the SOPS GPG fingerprint.

Get the fingerprint: 

gpg --list-keys

Copy and use it: 

 export  SOPS_PGP_FP= "27846AFA62AC8475754E28ACFC0537D05D1D146B"

Test it. 

sops edit test.sops.yaml

The Silent Ansible Upgrade

Install the Ansible SOPS collection if missing: 

ansible-galaxy collection install community.sops

In the ansible.cfg enable the SOPS vars plugin: 

[defaults]
vars_plugins_enabled = host_group_vars,community.sops.sops

The host_vars or group_vars files' extension must be:

  • .sops.yaml
  • .sops.yml

Configure the SOPS creation rules in the .sops.yaml file: 

 ---
 creation_rules:
  -  path_regex: inventories/.*\.sops\.yml
     key_groups:
      -  pgp:
          - 27846AFA62AC8475754E28ACFC0537D05D1D146B

The Ghosts In Action

Create a SOPS encrypted file in host_vars or group_vars. 

sops edit inventories/host_vars/hostname.yml

Remove the example content and add your data. 

 ---
 my_data:
  - Hello
  - this is from
  - SOPS

Ansible can decrypt and use it. 

 ---
-  name:  SOPS test
   hosts: hostname

   tasks:
    -  name:  Echo the test variable
       ansible.builtin.debug:
         var: my_data

The system bends to you, Ghost Operator.

Sharpening For The Team

Operators rotate. Keys must too.

Add a new teammate

Import their public GPG key: 

gpg --import teammate_pubkey.asc

Update the key_groups in .sops.yaml with their fingerprint: 

 creation_rules:
  -  path_regex: inventories/.*\.sops\.yml
     key_groups:
      -  pgp:
          - Your Fingerprint
          - Teammate Fingerprint

Re-encrypt the files so SOPS includes both keys: 

sops updatekeys inventories/host_vars/ghost-infra.sops.yml

Remove a teammate

Delete their fingerprint from .sops.yaml.

Re-encrypt again: 

sops updatekeys inventories/host_vars/ghost-infra.sops.yml

Only the fingerprints listed will keep future access.

Final Whisper

Silence keeps the secrets. SOPS keeps them safe.