Security

Safe by default. Powerful when you opt in.

Enroll can touch sensitive files. This page helps you use it confidently.

Default behavior

In normal mode, Enroll attempts to avoid harvesting likely secrets using a combination of path deny-lists, content sniffing, and size caps. This means you may see some files intentionally skipped.

The --dangerous flag

This disables secret-safety checks. It can copy private keys, API tokens, DB passwords, TLS key material, etc.

Rule: if you use --dangerous, treat the output as sensitive data and plan secure storage before you run it. Don't store secrets in plaintext in a public place!

Encrypt bundles at rest with SOPS

You can install SOPS on your $PATH, then use --sops to write a single encrypted .tar.gz.sops file for harvests and/or manifests (GPG recipients). This is meant for storage-at-rest and backups.

$ enroll harvest --out /tmp/enroll-harvest --dangerous --sops <FINGERPRINT>
$ enroll manifest --harvest /tmp/enroll-harvest/harvest.tar.gz.sops \
  --out /tmp/enroll-ansible --sops <FINGERPRINT>
Important
In manifest --sops mode, you'll need to decrypt and extract the bundle before running ansible-playbook.
Recommended workflow
  1. Start with default mode (no --dangerous).
  2. Add --include-path for a small set of extra files you genuinely want managed.
  3. If you must capture secrets, use --dangerous and --sops.
  4. Keep outputs out of public repos; review before committing.
  5. Rotate credentials if you ever suspect they were captured or exposed.
Storage ideas
  • Encrypted SOPS bundle stored in a password manager vault
  • Private git repo with additional encryption at rest
  • Offline backup in an encrypted volume
Scope control

You can explicitly include or exclude paths. Excludes take precedence over includes.

$ enroll harvest --out /tmp/enroll-harvest \
  --include-path '/home/*/.profile' \
  --exclude-path '/home/*/.ssh/**'

Threat model (plain-English)

What Enroll tries to prevent
  • Accidentally copying obvious secrets in default mode
  • Harvesting huge/unbounded file sets by mistake
  • One host's difference causing problems for other hosts in terms of Ansible task steps (multi-site mode)
What you still own
  • Where outputs are stored and who can access them
  • Reviewing what was captured before committing/sharing
  • Choosing encryption and secret-management strategy