Securely remove decrypted Vault password file?

[kenny-evitt]

The "How do I store private data in git for Ansible?" section covers using GPG to encrypt a file with the Ansible Vault password and creating a shell alias to first decrypt the password file before calling ansible-playbook.

But the alias does nothing to securely remove the decrypted password file.

This blog post describes what seems like a better alternative:

• Using PGP To Encrypt The Ansible Vault | You Can't Spell Engineering Without Erin

A shell script (say open_the_vault.sh) is created to decrypt the encrypted password file:

#!/bin/sh
gpg --batch --use-agent --decrypt vault_passphrase.gpg

And that shell script is then set as the vault_password_file value in ansible.cfg:

[defaults]
vault_password_file = open_the_vault.sh

Using a script for that file is supported as-of version 1.7 of Ansible:

As of 1.7 this file can also be a script. If you are using a script instead of a flat file, ensure that it is marked as executable, and that the password is printed to standard output. If your script needs to prompt for data, prompts can be sent to standard error.

The benefit of this setup is that the Vault password won't be stored decrypted in the filesystem (or, at least, not as a regular file).