Using Keybase to share Ansible Vault passwords securely

This is a very quick guide for using Keybase with Trellis. Though it will give a brief overview of Keybase, it will not go into depth about how Keybase works or whether or not it’s trustworthy. You can read Keybase’s docs for that .

Quickly, what is Keybase?

Keybase is a key directory that maps social media identities to encryption keys (including, but not limited to PGP keys) in a publicly auditable manner.1

The Keybase filesystem allows for easy and secure sharing of files. You can share files with your team or another person quickly. For example, if I had a Keybase Team called my-team, I could share files with them in /keybase/team/my-team.

Why use Keybase with Trellis?

Your Anisble Vault password is the key to all of your site’s secrets. This is why it’s included in Trellis’ .gitignore. It is probably not in your best interest to be sharing this through unsecure mediums.

How to use Keybase with Trellis

This is pretty straightforward.

Install the Keybase app (macOS, Windows, Linux) and create an account.

  • Opening the application will prompt for a login or for you to create an account.
  • This will make a secure volume on your computer.
    • /keybase on macOS and Linux.
    • k:\ on Windows, however, Ansible does not support Windows, which makes this whole thing problematic for Windows, unless you are using WSL.

Now, when you enable Ansible Vault, instead of creating the vault password file (i.e. .vault_pass) in the Trellis root, create it on the Keybase volume for whatever context you need to share it and point to it accordingly in ansible.cfg. For example, if I was just solo dev-ing a project, I would put it in /keybase/private/knowler, but if I was working with a team, I would put it in /keybase/team/my-team. Keybase’s teams even allows you to create subteams, so you could do: /keybase/team/ to target only the developers of my team.

Working example/proof of concept

For a working example, clone the keybase branch of my Trellis fork:

git clone -b keybase --single-branch trellis-and-keybase && \
cd trellis-and-keybase

Out of the box (on macOS & Linux), you are able to use ansible vault edit to edit the encrypted files since I’m pointing the vault password to /keybase/public/knowler/.vault_pass. It’s great for this example, but you should never store the your vault password in your public folder.