Protecting secrets while operating
In the previous section of this chapter, we covered protecting your secrets at rest on the filesystem. However, that is not the only concern while operating Ansible with secrets. Secret data is going to be used in tasks as module arguments or loop inputs or any number of other things. This may cause the data to be transmitted to remote hosts, logged to local or remote log files, or displayed on screen. This section of the chapter discusses strategies for protecting your secrets during operation.
Secrets transmitted to remote hosts
As we learned in Chapter 1, System Architecture and Design of Ansible, Ansible will combine module code and arguments and write this out to a temporary directory on the remote host. This means your secret data is transferred over the wire AND written to the remote filesystem. Unless you are using a connection plugin other than ssh, the data over the wire is already encrypted, preventing your secrets from being discovered by simple...
