Merge 1d4a116337 into 6aa8192131

2 weeks ago · cc7b51dd2a
parent 6aa8192131 1d4a116337
commit cc7b51dd2a
3 changed files with 21 additions and 20 deletions
--- a/changelogs/fragments/vault_fixes.yml
+++ b/changelogs/fragments/vault_fixes.yml
@ -0,0 +1,5 @@
+minor_changes:
+  - Added vault configuration (VAULT_PBKDF2HMAC_ITERATIONS) to allow user to fine tune encryption.
+bugfixes:
+  - Increased default vault pbkdf2hmac iterations to 600.000 as per current recomendations.
+  - Added cautionary text to vault salt configuration entry, also short hint on why it would be used.
--- a/lib/ansible/config/base.yml
+++ b/lib/ansible/config/base.yml
@ -1085,15 +1085,6 @@ DEFAULT_VARS_PLUGIN_PATH:
  ini:
  - {key: vars_plugins, section: defaults}
  type: pathspec
-# TODO: unused?
-#DEFAULT_VAR_COMPRESSION_LEVEL:
-#  default: 0
-#  description: 'TODO: write it'
-#  env: [{name: ANSIBLE_VAR_COMPRESSION_LEVEL}]
-#  ini:
-#  - {key: var_compression_level, section: defaults}
-#  type: integer
-#  yaml: {key: defaults.var_compression_level}
 DEFAULT_VAULT_ID_MATCH:
  name: Force vault id match
  default: False
@ -1113,7 +1104,9 @@ DEFAULT_VAULT_IDENTITY:
 VAULT_ENCRYPT_SALT:
  name: Vault salt to use for encryption
  default: ~
-  description: 'The salt to use for the vault encryption. If it is not provided, a random salt will be used.'
+  description:
+      - The salt to use for the vault encryption. If it is not provided, a random salt will be used.
+      - Specifying a salt decreases the security of vault, but it might be required if determinism is more important in your context.
  env: [{name: ANSIBLE_VAULT_ENCRYPT_SALT}]
  ini:
  - {key: vault_encrypt_salt, section: defaults}
@ -1145,6 +1138,18 @@ DEFAULT_VAULT_PASSWORD_FILE:
  - {key: vault_password_file, section: defaults}
  type: path
  yaml: {key: defaults.vault_password_file}
+VAULT_PBKDF2HMAC_ITERATIONS:
+  name: Vault PBKDF2HMAC iterations
+  version_added: '2.18'
+  description:
+      - Default PBKDF2HMAC iteration count to be used by vault.
+      - Note that all ansible instances doing vault/unvault must agree on this number.
+      - The recomended value is currently 600.000 but it is kept to 10.000 for backwards compatiblity.
+  type: int
+  default: 10000
+  env: [{name: ANSIBLE_VAULT_PBKDF_ITER}]
+  ini:
+  - {key: pbkdf2hmac_iterations, section: vault}
 DEFAULT_VERBOSITY:
  name: Verbosity
  default: 0
@ -1347,15 +1352,6 @@ GALAXY_COLLECTIONS_PATH_WARNING:
  ini:
    - {key: collections_path_warning, section: galaxy}
  version_added: "2.16"
-# TODO: unused?
-#GALAXY_SCMS:
-#  name: Galaxy SCMS
-#  default: git, hg
-#  description: Available galaxy source control management systems.
-#  env: [{name: ANSIBLE_GALAXY_SCMS}]
-#  ini:
-#  - {key: scms, section: galaxy}
-#  type: list
 GALAXY_SERVER:
  default: https://galaxy.ansible.com
  description: "URL to prepend when roles don't specify the full URI, assume they are referencing this server as the source."
--- a/lib/ansible/parsing/vault/init.py
+++ b/lib/ansible/parsing/vault/init.py
@ -1158,7 +1158,7 @@ class VaultAES256:
            algorithm=hashes.SHA256(),
            length=2 * key_length + iv_length,
            salt=b_salt,
-            iterations=10000,
+            iterations=C.config.get_config_value('VAULT_PBKDF2HMAC_ITERATIONS'),
            backend=CRYPTOGRAPHY_BACKEND)
        b_derivedkey = kdf.derive(b_password)