Protecting secrets while operating
In the previous section of this chapter, we covered how to protect your secrets at rest on the filesystem. However, that is not the only concern when operating Ansible with secrets. That secret data is going to be used in tasks as module arguments, loop inputs, or any number of other things. This may cause the data to be transmitted to remote hosts, logged to local or remote log files, or even displayed onscreen. This section of the chapter will discuss strategies for protecting your secrets during operation.
Secrets transmitted to remote hosts
As we learned in Chapter 1, The System Architecture and Design of Ansible, Ansible combines module code and arguments and writes this out to a temporary directory on the remote host. This means your secret data is transferred over the wire and written to the remote filesystem. Unless you are using a connection plugin other than Secure Shell (SSH) or Secure Sockets Layer (SSL)-encrypted Windows Remote...
