Introduction

Diffie-Hellman Key Exchange is a way to securely share encryption keys publicly between two parties. It's used in TLS and SSL connections to provide Perfect Forward Secrecy. Unfortunately, the default DH parameters distributed with applications are susceptible to a downgrade attack.

The debops.dhparam Ansible role will generate a set of strong Diffie-Hellman parameters on the Ansible Controller, which will be preseeded on remote hosts, and will be ready to use by other applications. A separate script can then be used on remote hosts in the background to generate new random DH parameters, either once or in regular intervals.

Installation

This role requires at least Ansible v2.1.4. To install it, run:

ansible-galaxy install debops.dhparam