Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

To be a bit pedantic, all .yml files can be encrypted with ansible-vault, so also playbooks and roles.

There are two things currently that bother me about ansible-vault. The first is that the 'edit' command write a completely new file even if I didn't change anything. And the second is that the diffs in git become useless. I'd love to have a special diff driver for ansible-vault encrypted files that decrypts before diffing when the secret is available.



If you use show instead of edit it doesn't re-encrypt the file.

Agreed on the useless diffs however, it makes reviewing pull requests or changes much harder.


I'm curious, why do you feel the need to encrypt every single file instead of just secrets (to keep reviewing possible)? :)


I usually only encrypt var files that contain things like db passwords or something. In our case it made it harder to spot typos in the username for example.

I wouldn't encrypt a whole playbook for example.


We don't encrypt all of the credentials, just the actual passwords.


Uhm, for me edit brings up vi, I then :q and the file's modification date didn't change?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: