Photo by Arthur Mazi / Unsplash

Secrets at my Fingertips

tiny tool Oct 30, 2025 (Oct 30, 2025) Loading...

Tap it, unwrap it – how I send secrets with biometrics

When I'm setting up kit, I need secrets. Typically keys to identify myself as someone authorised. Keys for provisioning servers, for talking to LLMs, for setting up DNS, for using ssh.

And when I say 'I', I mean my tools – so those keys need to be stored somewhere, not typed in when needed. As they're secrets, they need to be stored in an encrypted way – and I don't mean the encryption that munges my laptop's whole SSD, but encryption specifically for the secrets file. So secrets.yml needs a password.

We should take that password seriously, of course: should we remember it or scribble it on a hidden postit? Clearly neither. And we're collaborative engineers, so when we need to share that password, and those secrets, we need to share in a way that means the secret isn't generally known and access can be killed off.

As it happens, I keep the password to the secrets file in a password manager, 1Password. So I can already share it with care, change it in a way that I can check up on, restrict and enable as needed. It's not Sailpoint, but it works for me and my circle.

Here's the enabler: 1Password has a command-line interface op, and unlocks with biometric convenience.

So, in Ansible, when I want to edit or open my secrets.yml, I don't need to type the password, but I use this parameter: --vault-password-file <(op item get 'Ansible secrets' --fields label=password --reveal).

That uses --vault-password-file to pass the field password from the 1Password item Ansible secrets as the password for the secrets file. Which means I can put the command in something openly stored, have the kit request my identity when it first needs it, and have the decrypted secrets in memory and not in a shabby test file somewhere obscure*.

In practice: I use the command, verify with a fingerprint, and off it goes.

'* unless, like a pillock, I do ansible view secrets.yml , forget, crash something, scroll up my history file and just see all the keys there. So, y'know, don't do that.

Member reactions

Reactions are loading...

Sign in to leave reactions on posts

Tags

Comments

Sign in or become a Workroom Productions member to read and leave comments.

James Lyndsay

Getting better at software testing. Singing in Bulgarian. Staying in. Going out. Listening. Talking. Writing. Making.

Recommended for you

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.