How to use BCD with sensitive data encrypted
BCD involves providing sensitive data like passwords or private credentials through YAML Scenario files. Although you may restrict access to scenario files using file system permissions, it may be advisable to encrypt these sensitive data for even more security.
Therefore BCD supports Ansible Vault to encrypt sensitive data. BCD automatically decrypts Vault-encrypted content at runtime when the decryption password is provided.
In this tutorial, we will explain how to encrypt files with
ansible-vault and how to configure BCD to decrypt these Vault-encrypted data.
Create a Vault password file
A password is required to encrypt/decrypt your sensitive data. BCD requires this password to be stored in a file which path is set in the
:fa-exclamation-triangle: Password file permissions
Ensure permissions on the file are such that no one else can access your password and do not add your password file to source control.
The password should be a string stored as a single line in the file.
In your BCD controller, create a
vault_passfile with a MyV@ultPa55 password and set the
bonita@bcd-controller:~/bonita-continuous-delivery$ echo "MyV@ultPa55" > vault_pass bonita@bcd-controller:~/bonita-continuous-delivery$ chmod 600 vault_pass bonita@bcd-controller:~/bonita-continuous-delivery$ ls -l $(pwd)/vault_pass -rw------- 1 bonita bonita 12 Apr 30 09:40 /home/bonita/bonita-continuous-delivery/vault_pass bonita@bcd-controller:~/bonita-continuous-delivery$ export ANSIBLE_VAULT_PASSWORD_FILE=/home/bonita/bonita-continuous-delivery/vault_pass
Encrypt your BCD scenario file
Assuming your BCD scenario file contains sensitive data, we are now going to encrypt this file using the
In your BCD controller, encrypt your
scenarios/myscenario.ymlfile using the Vault password defined in previous step:
bonita@bcd-controller:~/bonita-continuous-delivery$ ansible-vault encrypt scenarios/myscenario.yml Encryption successful
As a result, the
scenarios/myscenario.ymlfile is Vault-encrypted. It may be safely added to source control as long as the Vault password remains confidential.
View / Edit / Decrypt
If you need to view or edit the scenario content, you may use the
ansible-vault editcommands respectively.
You may also decrypt your scenario file using the
Refer to the Ansible Vault documentation for detailed information about this feature.
Run BCD commands as usual
You may now run BCD commands without any change. BCD and Ansible will automatically decrypt your Vault-encrypted data.
You may encrypt several files but the password must be the same for all files you wish to use together at the same time.
Although Ansible supports prompting for a password, BCD only supports a password to be provided through a password file defined by the