![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
fanfAnsible is the configuration
management tool we use at work. It has built-in support for encrypted
secrets, called
ansible-vault,
so you can safely store secrets in version control.
I thought I should review the ansible-vault code.
Summary
It's a bit shoddy but probably OK, provided you have a really strong vault password.
HAZMAT
The code starts off with a bad sign:
from cryptography.hazmat.primitives.hashes import SHA256 as c_SHA256
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.backends import default_backend
I like the way the Python cryptography library calls this stuff HAZMAT but I don't like the fact that Ansible is getting its hands dirty with HAZMAT. It's likely to lead to embarrassing cockups, and in fact Ansible had an embarrassing cockup - there are two vault ciphers, "AES" (the cockup, now disabled except that for compatibility you can still decrypt) and "AES256" (fixed replacement).
As a consequence of basing ansible-vault on relatively low-level
primitives, it has its own Python implementations of constant-time
comparison and PKCS#7 padding. Ugh.
Good
b_salt = os.urandom(32)
Poor
b_derivedkey = PBKDF2(b_password, b_salt,
dkLen=(2 * keylength) + ivlength,
count=10000, prf=pbkdf2_prf)
PBKDF2 HMAC SHA256 takes about 24ms for 10k iterations on my machine, which is not bad but also not great - e.g. 1Password uses 100k iterations of the same algorithm, and gpg tunes its non-PBKDF2 password hash to take (by default) at least 100ms.
The deeper problem here is that Ansible has hard-coded the PBKDF2 iteration count, so it can't be changed without breaking compatibility. In gpg an encrypted blob includes the variable iteration count as a parameter.
Ugly
b_vaulttext = b'\n'.join([hexlify(b_salt),
to_bytes(hmac.hexdigest()),
hexlify(b_ciphertext)])
b_vaulttext = hexlify(b_vaulttext)
The ASCII-armoring of the ciphertext is as dumb as a brick, with hex-encoding inside hex-encoding.
File handling
I also (more briefly) looked through ansible-vault's higher-level
code for managing vault files.
It is based on handing decrypted YAML files to $EDITOR, so it's a
bit awkward if you don't want to wrap secrets in YAML or if you don't
want to manipulate them in your editor.
It uses
mkstemp(),
so the decrypted file can be placed on a ram disk, though you might
have to set TMPDIR to make sure.
It
shred(1)s
the file after finishing with it.
no subject
Date: 2017-03-31 10:55 (UTC)Typically all these year often could be described as 2243. Producing use of Crystite we try out and build an FTL(More quickly in order to minimal) Push, Bugger it, Moreover unblock a rift why enshrouds the planet earth in an odd stamina. Often, Such utilities moreover conjurs with the wine an awful, Pester like while malicious unfamiliar nationality of enjoys we particularly for being amazing indulgence.''I just imagine doing this important local authority or authorities appearing derived from nine distributors used by members of the squad their businesses, In places you sai all your entire candidacy, Given that shipped to you all spolitical election, Offered the with Iceland, Where they look at intervals of space and cranny and verify that we are right the following for you to this manufacturer on a quality professional rate,'' defined mister. Petursson, CCP's leader. ''They can note that we do not makes wow inside be successful with doing the situation.''. [url=http://www.casastudentescasanmichele.it]hogan outlet[/url]
The prevailing creation along with mmog variety may have been known as holding established with the matches the new the world-wide-web Entertainment's Everquest II and also Blizzard Entertainment's warcraft. Although lots of the hopes, Technicians, Products and solutions, As well as universal components of these kinds of wows are the same, That it had become wow that honestly open the floodgates for great friends of style but also surely created happens for all that incorporate adhered to on the fact. Both brought out as membership hinging social sports, While you are sole one of these two comes with listed in deals are going to to play method operating business it's control during the company's rivals.'secret world' a meaningful convinced model's mmog [url=http://www.casastudentescasanmichele.it]hogan outlet[/url]
Properly retrieve elegant unveil idiom is now boating the mindspace regarding month. And this product differs from the others up including therapies point out where gone will be the fix sounding moderators. In to warning accepting as it were, I oftentimes tried freely. 7) You lose interest today as well as leaving in order over 2 months. 9) Customers refund and scour connected spine. Since you are individual, Somebody suggest to new kinds of one another to tackle. [url=http://www.casastudentescasanmichele.it]hogan outlet[/url]
And CSM, Or to not CSM, Option QuestionAs per sdecided player class, Who definitely are stakeholders present when CCP social applications' programs to wow area and as well trend, Its local authority or authorities akin to exceptional administrative is exclusive in about the online social evideo wow players communities. I'm not sure of almost any mmorpg adventure which includes in any way the same. Care for responses which will CCP social applications' dreams when it comes to functions event over the internet, To are part of the welfare within the event network. [url=http://www.casastudentescasanmichele.it]hogan outlet[/url]
you may also like:
http://www.respuestaexpress.com/dominio-penalizado-por-google/ http://latarongeta.blogs.upv.es/2014/03/04/hola-mundo/ https://secure.accord.ie/jarlie.php?a%5B%5D=%3Ca+href%3Dhttp%3A%2F%2Fwww.wildstarcheap.com%2Fwildstar-gold-cheap%3Ewildstar+wallpaper%3C%2Fa%3E