passbolt

Last past year, I created an ansible lookup plugin for passbolt, which allow you to use passbolt as an alternative to ansible-vault to store your secrets. You can read a very complete blog post about this on passbolt offical blog. We will start this blog post with a practical example by setup a MySQL database and user with ansible and store the user password in passbolt. Let’s go. Requirements A vanilla Ubuntu server on which you will setup the MySQL database You are able to make sudo commands on this server without password A working passbolt instance Your passbolt recovery kit, aka your private GPG key You are able to connect to your server with ansible ansible -m ping your-server your-server | SUCCESS => { "changed": false, "ping": "pong" } Setup passbolt ansible lookup plugin You can install the lookup plugin with this command:...

I use for this memo a temporary gpg homedir named gpg-tmp mkdir gpg-tmp Since 3.6.0 version, passbolt can use Elliptic ed25519 GPG keys. We will see how to silently create both RSA/ECC GPG keys Create RSA key with passphrase gpg --homedir gpg-tmp --batch --no-tty --gen-key <<EOF Key-Type: rsa Key-Length: 4096 Key-Usage: sign,cert Subkey-Type: rsa Subkey-Length: 4096 SubKey-Usage: encrypt Name-Real: John Doe Name-Email: [email protected] Expire-Date: 0 Passphrase: a-strong-passphrase %commit EOF Create RSA key without passphrase gpg --homedir gpg-tmp --batch --no-tty --gen-key <<EOF Key-Type: rsa Key-Length: 4096 Key-Usage: sign,cert Subkey-Type: rsa Subkey-Length: 4096 SubKey-Usage: encrypt Name-Real: John Doe Name-Email: john@doe....