Ansible sudo password == Ansible vault password?

erobinson · April 19, 2024, 1:28pm

Looking at the install instructions here: Install Using Commcare-Cloud on one or more machines — CommCareHQ Deployment documentation

It says:

13.....
Before we encrypt the vault.yml file, have a look at the vault.yml file. (Substitute “cluster”.)

$ cat ~/environments/cluster/vault.yml

Find the value of “ansible_sudo_pass” and record it in your password manager. We will need this to deploy CommCare HQ.

Encrypt the provided vault file, using that “ansible_sudo_pass”. (As usual, substitute “cluster” with the name of your environment.)

$ ansible-vault encrypt ~/environments/cluster/vault.yml

Is that correct? Why does the same password used to protect the vault need to be recorded in the Vault?

Norman_Hooper · April 23, 2024, 8:48am

That is an excellent question!

I have also wondered why we use the ansible password to encrypt the vault file.

I'm guessing the reason was that you need both frequently at the start of an installation, and this made it more convenient? I'm not certain.

"ansible_sudo_pass" does need to be in the vault file. But the vault file can be encrypted with a different password. It is the vault file's password that must be stored securely, because if you lose that password you will no longer be able to decrypt the encrypted storage, and that would be Very Very Bad.

erobinson · April 23, 2024, 11:15am

Excellent, thanks for confirming Norman, I just happened to notice it while setting up a temporary dev server this week. I've probably overlooked it before because I've generated my own installation documentation over time, but ran into some gotchas that made me go back to the original online docs. Not being a fan of reusing passwords, I'll keep them independent.

Thanks again!