Encrypting Passwords

PipelineWise has a built-in feature that allows you to keep sensitive data such as passwords or keys in encrypted format, rather than as plain text in the project YAML files. These encrypted strings can then be distributed or placed in source control.

PipelineWise is using the Ansible Vault python libraries to encrypt and decrypt strings. The default cipher is AES (which is shared-secret based).

1. To encrypt data, first you need to create a file with a secret password. In this example we will create a vault-password.txt file from the command that you will keep in a safe place:

$ echo "M@st3rP@ssw0rd" > vault-password.txt

2. Now you can encrypt the sensitive strings in your PipelineWise project. These are usually database passwords or other data source or destination credentials that you don’t want to place in source control as plain texts. To encrypt a string run:

$ pipelinewise encrypt_string --secret vault-password.txt --string "This is a string to encrypt"
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          31376164363334663765396232363562653463613862333163396565396239336134636261326137
          3561303661636161663337333564316463653230623436650a333639313136393930656232393334
          34303232656430303664393238656633336333663965303333643134326239363538646237356130
          3662383632313763650a633664633665646238373861356430336536616239343535616231653161
          37376232313836613939636434303863333035653534633533333739303137323034
Encryption successful

3. Now you can copy the output of the previous step and use it in any YAML file instead of plain passwords. For example in a tap_mysql.yml file the db_conn section will look like this:

db_conn:
  host: "mysql_source_database"
  port: 3306
  user: "jack_replica"
  password: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        31376164363334663765396232363562653463613862333163396565396239336134636261326137
        3561303661636161663337333564316463653230623436650a333639313136393930656232393334
        34303232656430303664393238656633336333663965303333643134326239363538646237356130
        3662383632313763650a633664633665646238373861356430336536616239343535616231653161
        37376232313836613939636434303863333035653534633533333739303137323034
  dbname: "fx"

4. When importing the project YAML files into PipelineWise, you will need to provide the path to the file with the password (the one that you created in the first step) using the --secret command line option. For example if you have a sample project in pipelinewise_samples you will need to run:

$ pipelinewise import --dir pipelinewise_samples --secret vault-password.txt

Tip: For further details about creating and importing projects, please check the Creating Pipelines section.