The vault file is one of three input files needed to deploy PAM with Ansible:
mypam.ini or similar name)mypam.vars or similar name)mypam.vault or similar name)
The vault file is a YAML file that has been encrypted into a vault file by the Ansible
tool ansible-vault. The vault file is used to store secret
inputs that should not be left exposed in the vars file. The PAM CDM package includes
an example vault file example.vault.
An Ansible vault file may be constructed manually. Start by creating an unencrypted YAML
file containing secrets to be encrypted. The file name suffix should be .vault
not .yaml. For example:
ansible_linux_password: Password123 pam_database_password: PasswordABC pam_ldap_password: PasswordXYZ pam_crypt_password: SuperComplexHardToGuessPassword
Then encrypt the file with the ansible-vault tool:
ansible-vault encrypt mypam.vault
This will encrypt the file in place without renaming it. Which is why the unencrypted YAML
file was originally created with a .vault suffix.
This command will prompt for a vault encryption password. A strong random password should be used (minimum 24 characters). The vault encryption password should be protected in a secure location (such as Imprivata PAM). If the vault password is lost, then encrypted data in the vault file will be unrecoverable.
To display the plaintext content of a vault file without decrypting the file, run this command and enter the vault password when prompted.
ansible-vault view mypam.vault
To decrypt an encrypted vault file run this command and enter the vault password when prompted. The vault file will be decrypted in place, back to the original YAML file, with the same file name.
ansible-vault decrypt mypam.vault
A Python script scripts/pam_vault.py is provided to help generate
an Ansible vault file for PAM deployments.
To run the script and get usage information:
python scripts/pam-vault.py -h
This tool can be run from the same Python virtual environment created during PAM CDM Installation.