Move highly sensitive secrets to new "super" vault
All threads resolved!
All threads resolved!
The idea bebind this is to be able to give vault access to new DevOps members without giving away more important credentials like Hetzner's.
Edited by Evangelos Foutras
Merge request reports
Activity
To view the contents of re-encrypted vaults:
git grep -l 'AES256;super$' | parallel 'echo -e "\n\n###" {} && ansible-vault view {}'The rest of the vaults seem fine to continue using the default password:
git grep -l 'AES256$' | grep -v vault_wireguard | parallel 'echo -e "\n\n###" {} && ansible-vault view {}'Edited by Evangelos Foutras
Resolved by Evangelos FoutrasWe must remember to change the password in
vault-default-password.gpgand reencrypt all the default vaults, so people with access to only the default vaults, can't decrypt vaults encrypted before the split (ex: older revision of the Hetzner vault).- Last reply by Evangelos Foutras
added 1 commit
- 99c1dd89 - hcloud_inventory: use read-only API key for hcloud
added 1 commit
- f6de5b8f - Improve vault key docs and consolidate related tasks
added 4 commits
-
cbb3838a...b0f0e2ec - 2 commits from branch
master - ef4e97cf - Place more sensitive secrets into a separate vault
- 72f9dc07 - hcloud_inventory: use read-only API key for hcloud
-
cbb3838a...b0f0e2ec - 2 commits from branch
mentioned in merge request !567 (merged)
added 7 commits
-
899f92c0...cecfd92e - 3 commits from branch
master - b4d60ae2 - Move highly sensitive secrets to new "super" vault
- 24112892 - hcloud_inventory: use read-only API key for hcloud
- b264a2f6 - Remove unused vaults and obsolete secrets
- 375a7816 - Re-encrypt all default vaults with a new password
Toggle commit list-
899f92c0...cecfd92e - 3 commits from branch
mentioned in commit 2702ddfe
mentioned in issue #64
Please register or sign in to reply