Skip to content

AbstractionAlgebra/rotateCredentials

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
docs/superpowers
docs/superpowers
 
 
group_vars
group_vars
 
 
roles
roles
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
ansible.cfg
ansible.cfg
 
 
rotate_credentials.yml
rotate_credentials.yml
 
 

Repository files navigation

rotateCredentials

Ansible playbook and roles for rotating Linux root, GRUB, and active LUKS full-disk-encryption credentials. The playbook coordinates preflight checks, scopes enabled rotations, runs the root, GRUB, and LUKS roles, and prints a sanitized per-host summary without exposing credential values.

Supported Managed Hosts

  • RHEL 8.10
  • RHEL 9
  • Ubuntu 22.04
  • Ubuntu 24.04

This project is intended for hardened Linux estates, including FIPS/STIG-style hosts where package installation is controlled separately. The playbook checks for required platform commands, but it does not install missing packages. Hosts missing required tools fail preflight and should be remediated through the normal system build or package management process.

Vaulted Credential Records

Store real credentials in Ansible Vault. Use group_vars/vault.example.yml only as the shape for the encrypted data file; it contains non-secret sample values and is not auto-loaded as a real vault source.

Real vault variables must be loaded explicitly, for example:

ansible-playbook rotate_credentials.yml \
  --ask-vault-pass \
  --extra-vars @path/to/vault.yml

Each enabled rotation requires its matching credential record with these fields:

  • current
  • new
  • prior
  • current_changed_at
  • prior_changed_at

The records are:

root_credential:
  current: "CurrentRootPwd1!"
  new: "NewRootPwdValue1!"
  prior: "PriorRootPwdValue1!"
  current_changed_at: "2026-02-24"
  prior_changed_at: "2025-12-26"

grub_credential:
  current: "CurrentGrubPwd1!"
  new: "NewGrubPwdValue1!"
  prior: "PriorGrubPwdValue1!"
  current_changed_at: "2026-02-24"
  prior_changed_at: "2025-12-26"

luks_credential:
  current: "CurrentLuksPwd1!"
  new: "NewLuksPwdValue1!"
  prior: "PriorLuksPwdValue1!"
  current_changed_at: "2026-02-24"
  prior_changed_at: "2025-12-26"

For every enabled rotation, the new value must satisfy the playbook complexity rule: at least 15 characters with uppercase, lowercase, number, and symbol characters.

Running The Playbook

Basic run against the configured inventory:

ansible-playbook rotate_credentials.yml \
  --ask-vault-pass \
  --extra-vars @path/to/vault.yml

To target a specific inventory file:

ansible-playbook -i inventory rotate_credentials.yml \
  --ask-vault-pass \
  --extra-vars @path/to/vault.yml

By default, all three rotation booleans are enabled in group_vars/all.yml:

  • rotate_root_password: true
  • rotate_grub_password: true
  • rotate_luks_password: true

Run only root rotation by disabling the other rotation groups:

ansible-playbook rotate_credentials.yml \
  --ask-vault-pass \
  --extra-vars @path/to/vault.yml \
  -e rotate_grub_password=false \
  -e rotate_luks_password=false

Run only GRUB rotation with tags:

ansible-playbook rotate_credentials.yml \
  --ask-vault-pass \
  --extra-vars @path/to/vault.yml \
  --tags grub

Run only LUKS rotation with both tag and boolean scoping:

ansible-playbook rotate_credentials.yml \
  --ask-vault-pass \
  --extra-vars @path/to/vault.yml \
  -e rotate_root_password=false \
  -e rotate_grub_password=false \
  --tags luks

Available tags are root, grub, and luks. Without --tags, every enabled rotate_* boolean is active. With --tags, only the selected rotation tags are active, and preflight checks are scoped to those active rotations.

Post-Run Vault Maintenance

Promote vault values only after the systems that use that record have completed every enabled rotation successfully. Immediate promotion is safe only for a host-specific credential record whose host fully succeeded. For shared credential records, promote only after every host sharing that record has fully succeeded.

  • prior = old current
  • prior_changed_at = old current_changed_at
  • current = new
  • current_changed_at = rotation date
  • new = next planned password

Keep failed hosts under investigation before promoting values in the vault. Failed hosts must keep using the credential state that matches their actual system state until they are resolved.

The final playbook output is sanitized. It reports successes, warnings, skips, and summarized failures without printing current, new, or prior credential values.

Verification

Run a syntax check before operating on hosts:

ansible-playbook --syntax-check rotate_credentials.yml

If your syntax check needs access to encrypted variables in your environment, load the real vault explicitly:

ansible-playbook --syntax-check rotate_credentials.yml \
  --ask-vault-pass \
  --extra-vars @path/to/vault.yml

For destructive validation of GRUB and LUKS behavior, use only disposable RHEL 8.10, RHEL 9, or Ubuntu virtual machines with snapshots and encrypted disks. Do not validate bootloader or disk-encryption credential rotation against irreplaceable systems.

About

Linux Rotate root, luks, grub passwords

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors