Using GNOME Keyring to Store Ansible Vault Passwords
Very rough guide how use the GNOME Keyring (via libsecret-tools) to securely store and retrieve ansible vault password(s).
Prerequisites
Install libsecret-tools:
sudo apt install libsecret-tools
You should also have Ansible installed and a working GNOME Keyring.
1. Store the Ansible Vault Password
To store your vault password in GNOME Keyring:
secret-tool store --label='Ansible Vault Key - SRv6 Project' application ansible-vault vault-id SRv6
Password:
When prompted, enter the password you want to use for the vault.
“application: ansible-vault” and “vault-id: SRv6” are key/value pairs which used to locate password entry during retrieval. Be sure they are unique, or old value will be overwritten. “–label” is just a name and not used for search. You can have multiple entries with same label in a keyring but with different “vault-id”.
2. Retrieve the Password Manually
To test that it’s stored correctly:
secret-tool lookup application ansible-vault vault-id SRv6
This should print your stored password, e.g.:
SuperSecretPassword
3. Create a Vault Password Client Script
A small script that Ansible can use to fetch the password from GNOME Keyring. For some reason, Ansible requires the script to be named in the format “something-client.ext”.
cat > gnome-keyring-client.sh <<'EOF'
#!/bin/sh
if [ "$1" != "--vault-id" ] || [ "$#" -ne 2 ]; then
echo "Usage: $0 --vault-id vaultID"
exit 1
fi
/usr/bin/secret-tool lookup application ansible-vault vault-id $2
EOF
chmod +x gnome-keyring-client.sh
4. Test the Script
Run:
./gnome-keyring-client.sh --vault-id SRv6
Expected output:
SuperSecretPassword
5. Create an Encrypted Vault File
Please note that “SRv6” after –vault-id” correspond to value of “vault-id” key used to store password in keyring. gnome-keyring-client.sh just a path to password extracting executable. Ansible will call it with “–vault-id” as argument, and expect getting password on STDOUT.
ansible-vault create --vault-id [email protected] secrets.enc
This will launch your default text editor with an empty file. Add some secrets, save, and exit. File “secrets.enc” now contains encrypted secrets.
Example contents of encrypted file:
>cat secrets.enc
$ANSIBLE_VAULT;1.2;AES256;SRv6
36653233623138386562643636303962343962653464313439346239656
...
6. Working with the Vault
Edit:
ansible-vault edit --vault-id [email protected] secrets.enc
View:
ansible-vault view --vault-id [email protected] secrets.enc
7. Using with Playbooks
You can use the GNOME Keyring client with playbooks:
ansible-playbook --vault-id [email protected] playbook.yml
⚠ Note: If your vault ID in Ansible does not match the one stored in GNOME Keyring, you’ll get an error:
[WARNING]: Error in vault password file loading (dev):
Vault password client script returned non-zero (1) ...
Make sure your vault IDs match exactly.