From 7fbacf920dc6fe0f59e382dea54a912b02d31020 Mon Sep 17 00:00:00 2001 From: Keith Maxwell Date: Tue, 12 Feb 2019 15:47:01 +0000 Subject: [PATCH] Remove misleading statement passwords must be same (#49798) * Remove misleading statement passwords must be same Since 2.4 Ansible has supported multiple vault passwords: Meaning lines like the following are misleading: > The password used with vault currently must be the same for all files you wish > to use together at the same time. -- `docs/docsite/rst/user_guide/vault.rst` To demonstrate this with Ansible 2.7, save the following as `example.yaml`: ``` - name: Display output from two vaults with different passwords hosts: localhost connection: local vars_files: [one.yaml, two.yaml] tasks: - name: View secret from one.yaml vault debug: { var: one } - name: View secret from two.yaml vault debug: { var: two } ``` Then run the three following commands choosing two different passwords: ``` $ echo 'one: 1' | ansible-vault encrypt --vault-id id1@prompt --output=one.yaml $ echo 'two: 2' | ansible-vault encrypt --vault-id id2@prompt --output=two.yaml $ ansible-playbook --vault-id id1@prompt --vault-id id2@prompt example.yaml ``` `ansible-vault` stores an ID in plain text in the vault file. * Remove note about default in Ansible 2.1 As requested by gundalow in https://github.com/ansible/ansible/pull/49798 --- docs/docsite/rst/user_guide/vault.rst | 4 +--- lib/ansible/cli/vault.py | 2 -- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/docs/docsite/rst/user_guide/vault.rst b/docs/docsite/rst/user_guide/vault.rst index 8296dd1a80..7fba519707 100644 --- a/docs/docsite/rst/user_guide/vault.rst +++ b/docs/docsite/rst/user_guide/vault.rst @@ -38,9 +38,7 @@ To create a new encrypted data file, run the following command: ansible-vault create foo.yml -First you will be prompted for a password. The password used with vault currently must be the same for all files you wish to use together at the same time. - -After providing a password, the tool will launch whatever editor you have defined with $EDITOR, and defaults to vi (before 2.1 the default was vim). Once you are done with the editor session, the file will be saved as encrypted data. +First you will be prompted for a password. After providing a password, the tool will launch whatever editor you have defined with $EDITOR, and defaults to vi. Once you are done with the editor session, the file will be saved as encrypted data. The default cipher is AES (which is shared-secret based). diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py index 96dc1588f0..56ea7518f2 100644 --- a/lib/ansible/cli/vault.py +++ b/lib/ansible/cli/vault.py @@ -30,8 +30,6 @@ class VaultCLI(CLI): Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault. If you'd like to not expose what variables you are using, you can keep an individual task file entirely encrypted. - - The password used with vault currently must be the same for all files you wish to use together at the same time. ''' VALID_ACTIONS = frozenset(("create", "decrypt", "edit", "encrypt", "encrypt_string", "rekey", "view"))