2021-10-06 22:08:46 +00:00
# vault2vault
2022-04-08 06:12:55 +00:00
Like
[`ansible-vault rekey` ](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html#rekey )
2021-10-06 22:08:46 +00:00
but works recursively on encrypted files and in-line variables
2022-04-08 06:12:55 +00:00
[](https://github.com/enpaul/vault2vault/actions)
[](https://pypi.org/project/vault2vault/)
[](https://opensource.org/licenses/MIT)
[](https://www.python.org)
[](https://github.com/psf/black)
⚠️ **This project is alpha software and is under active development** ⚠️
- [What is this? ](#what-is-this )
- [Installing ](#installing )
- [Using ](#using )
- [Developing ](#developer-documentation )
## What is this?
If you use [Ansible Vault ](https://docs.ansible.com/ansible/latest/user_guide/vault.html )
2022-04-22 21:10:48 +00:00
then you may have encountered the problem of needing to roll your vault password. Maybe
2022-04-08 06:12:55 +00:00
you found it written down on a sticky note, maybe a coworker who knows it left the
company, maybe you accidentally typed it into Slack when you thought the focus was on your
terminal. Whatever, these things happen.
2022-04-22 21:10:48 +00:00
The built-in tool Ansible provides,
2022-04-08 06:12:55 +00:00
[`ansible-vault rekey` ](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html#rekey ),
2022-05-07 16:27:29 +00:00
suffers from two main drawbacks: first, it only works on vault encrypted files and not on
vault encrypted YAML data; and second, it only works on a single vault encrypted file at
a time. To rekey everything in a large project you'd need to write a script that
recursively goes through every file and rekeys every encrypted file and YAML variable all
at once.
2022-04-08 06:12:55 +00:00
This is that script.
## Installing
If you're using [Poetry ](https://python-poetry.org/ ) or
[Pipenv ](https://pipenv.pypa.io/en/latest/ ) to manage your Ansible runtime environment,
you can just add `vault2vault` to that same environment:
```
# using poetry
poetry add vault2vault --dev
# using pipenv
pipenv install vault2vault
```
If you're using Ansible from your system package manager, it's probably easier to just
install `vault2vault` using [PipX ](https://pypa.github.io/pipx/ ) and the `ansible` extra:
```
pipx install vault2vault[ansible]
```
**Note: vault2vault requires an Ansible installation to function. If you are installing to a standalone virtual environment (like with PipX) then you must install it with the `ansible` extra to ensure a version of Ansible is available to the application.**
## Using
These docs are pretty sparse, largely because this project is still under active design
and redevelopment. Here are the command line options:
```
> vault2vault --help
2022-04-21 19:29:19 +00:00
usage: vault2vault [-h] [--version] [--interactive] [-v] [-b] [-i VAULT_ID] [--ignore-undecryptable]
[--old-pass-file OLD_PASS_FILE] [--new-pass-file NEW_PASS_FILE]
2022-04-08 06:12:55 +00:00
[paths ...]
Recursively rekey ansible-vault encrypted files and in-line variables
positional arguments:
paths Paths to search for Ansible Vault encrypted content
options:
-h, --help show this help message and exit
--version Show program version and exit
2022-04-21 19:29:19 +00:00
--interactive Step through files and variables interactively, prompting for confirmation before making
each change
2022-04-08 06:12:55 +00:00
-v, --verbose Increase verbosity; can be repeated
-b, --backup Write a backup of every file to be modified, suffixed with '.bak'
-i VAULT_ID, --vault-id VAULT_ID
Limit rekeying to encrypted secrets with the specified Vault ID
--ignore-undecryptable
2022-04-21 19:29:19 +00:00
Ignore any file or variable that is not decryptable with the provided vault secret instead
of raising an error
2022-04-08 06:12:55 +00:00
--old-pass-file OLD_PASS_FILE
Path to a file with the old vault password to decrypt secrets with
--new-pass-file NEW_PASS_FILE
Path to a file with the new vault password to rekey secrets with
```
Please report any bugs or issues you encounter on
[Github ](https://github.com/enpaul/vault2vault/issues ).
## Developer Documentation
All project contributors and participants are expected to adhere to the
[Contributor Covenant Code of Conduct, v2 ](CODE_OF_CONDUCT.md ) ([external link](https://www.contributor-covenant.org/version/2/0/code_of_conduct/)).
The `devel` branch has the latest (and potentially unstable) changes. The stable releases
are tracked on [Github ](https://github.com/enpaul/vault2vault/releases ),
[PyPi ](https://pypi.org/project/vault2vault/#history ), and in the
[Changelog ](CHANGELOG.md ).
- To report a bug, request a feature, or ask for assistance, please
[open an issue on the Github repository ](https://github.com/enpaul/vault2vault/issues/new ).
- To report a security concern or code of conduct violation, please contact the project
author directly at ** .
- To submit an update, please
[fork the repository ](https://docs.github.com/en/enterprise/2.20/user/github/getting-started-with-github/fork-a-repo )
and [open a pull request ](https://github.com/enpaul/vault2vault/compare ).
Developing this project requires [Python 3.7+ ](https://www.python.org/downloads/ ) and
[Poetry 1.0 ](https://python-poetry.org/docs/#installation ) or later. GNU Make can
optionally be used to quickly setup a local development environment, but this is not
required.
To setup a local development environment:
```bash
# Clone the repository...
# ...over HTTPS
git clone https://github.com/enpaul/vault2vault.git
# ...over SSH
git clone git@github.com:enpaul/vault2vault.git
cd vault2vault/
# Create and configure the local development environment...
make dev
# Run tests and CI locally...
make test
# See additional make targets
make help
```
