The `decrypt` filter decrypts an ASCII-armored string encrypted with
`age`. It simply pipes the string to `age -d -i age.key` and returns
the contents of standard output. The path to the key file (passed with
the `-i` argument) can be changed using the `key` keyword to the filter.
Using `age`-encrypted data in this way has a few advantages over Ansible
Vault. Different values can be encrypted with different keys, which
Ansible Vault does support with vault IDs, but it is very cumbersome,
almost to the point of being useless. Using multiple IDs requires
explicitly specifying the IDs to use (thus knowing ahead of time which
ones are needed) and storing each password in a separate file. With the
`decrypt` filter, all the keys one has can be stored in a single file,
and `age` will find the correct one. More importantly, though, the
values remain encrypted until they are **explicitly** decrypted (e.g.
when rendered in a template). Contrast with Vault, where values are
**implicitly** decrypted any time they are used (including printing with
`debug`, etc.), which could potentially lead inappropriate exposure.
Finally, the `age` tooling is easier to work with and more composable
than Ansible Vault, especially given that the latter literally _only_
works with Ansible.
In the next series of commits, I will be converting all usage of Ansible
Vault in inventory variables (i.e. those in `host_vars` and
`group_vars`) to use `age` (or outright removing those that are no
longer relevant).
Dustin