2

I would like to publish on github a full set of ansible playbooks.

Some files contains sensitive data, so I have 'vaulted' them, encrypted.
You can find the format description here and some relevant usage documentation here and there.

I am surprised that the same string can be encrypted in more than one way. 

realtebo@192.168.1.227:/mnt/hgfs/ansible_files$ ansible-vault encrypt_string "reverse_me" 
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          64353761393762333261343831393636326633373731323362323065376462613162356162386635
          3863366638336365343632393536376263643037303465320a363532356265623038356166316334
          66323865396539643335373937326236623735396461353832313439373039323539303739623365
          6536323639663733370a323365376438356131363730396364386538396532333834353439656131
          6362
Encryption successful

realtebo@192.168.1.227:/mnt/hgfs/ansible_files$ ansible-vault encrypt_string "reverse_me" 
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          38333831396332353663343934393462343931376238333930343830623766613462653635633365
          3263626535383662333764633164613230343466393264640a323534326234626238303362363631
          34633032356432333365616230396637653832613766303830343663663835636134656532333839
          3936623532633533350a363930376632333861623766303933666462626637353661663630643763
          6264

Encryption successful

But my question is:
Having only vaulted strings, is there a way to decrypt them?
or alternatively but equivalently asked:
Is safe to the encrypted strings if they contain sensitive data?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
realtebo
  • 129
  • 4

1 Answers1

2

There are technically two ways:

  1. brute-forcing your way to a valid passphrase
  2. having a valid passphrase and using that to decrypt the data

The use of 256-bit AES is cryptographically sound as far as I can tell as a (cryptography) layperson, so there are no other ways.

That said, for Ansible vaults the way I have used them, you have to enter a passphrase. While the actual key is probably still derived from that passphrase, brute-forcing a passphrase may be easier than brute-forcing a lengthy key.

As for the two ways one thing can be encrypted using the same passphrase, this may be owed to salt. For example the current date and time may be part of the encrypted data and the actual vault data gets extracted from that.

0xC0000022L
  • 135
  • 8