Ansible Vault and Tang server

Latest response

So an interesting thought here...

We are currently running Ansible Vault to store all our account passwords and associated keys. We are currently using LUKS full disk encryption on our virtual machines. To handle booting of these vms we are using this bootleg hack that pulls the key out of a key disk image. We want to stop using this hack. Because it's a hack. Clevis and Tang look extremely promising and we wanted to start using it.

I'm still not entirely familiar with how Tang stores keys and I was wondering if it was possible to integrate Tang into Vault, insofar as pulling hostkeys for decryption at boot.

Is this something that's possible? Are we totally off base here? Is there a better way to do what I'm trying to do?


I could see using Vault for storing the password to create the luks binding with the server, but not for unlocking the machine with the tang server since it connects via https on boot. I'd be more interested in seeing a clevis module built into ansible to automate the creation of luks bindings with a tang server.