Ansible password vault uses
Instead of storing keys, passwords, environment and more in plain text here it comes Ansible Vault which is a great feature to use when you need to keep sensitive data encrypted such as pushing your keys to a remote repository.
There are several ways to encrypt your sensitive data using Ansible Vault some of them are:
- Encrypting files
- Encrypting strings with a password file
- Encrypting string with ask-vault-password
Encrypting files
Ansible Vault can encrypt any structured fata file such as group-vars and/or host_vars inventory variables.
How to create an encrypted file?
ansible-vault create hello.yml
It will prompt you a new password vault which you should keep it safe. The file will be opened using your default editor and after after saving the file you will be able to see the encrypted file:
cat hello.yml
$ANSIBLE_VAULT;1.1;AES256323161626162363538303632333938386237333433353165323234643135326634306665663464363035633733353833353664333632623662353437653363310a613461666530356130386534323963393036663637633938643863616239373139366664643033646362363036313163663163623932383335633364643061330a613866346431643538386431356330323334323666653361313862376234636261303063353266333738623763313230303936353336623161623161666230386133333537303739636231386337323261313164383130396136373932373566
To edit the encrypted file
ansible-vault edit hello.yml
It will open in your default text editor in plain text and will be encrypted after closing the file.
Encrypting a string with a password file
As an example, create a file called "myPasswordFile" and put a any password you want inside that file. This file will be used to encrypt your secrets.
To encrypt a single string use the command below. The name of the variable would be in this case "the_secret" the string to be encrypted would be "foobar".
ansible-vault encrypt_string --vault-password-file MyPasswordFile 'foobar' --name 'the_secret'
The output is the following:
ansible-vault encrypt_string --vault-password-file password 'foobar' --name 'the_secret'
Encryption successful
the_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
64346131343763356138666432346434313965393537653435653034643738333436303031623236
3735343431333362393438356361313730376464373134620a633434373634666463316164323233
32333335393239396435313435366432613862366461313661383961363465326235363963333063
3236383962646134640a333336316338626463363431363462333434363261303338636365306235
Encrypting a string with ask-password-vault
Ansible --ask-password-vault allows you to enter the password as standard in so your password is not store in any files at all, but you are responsable where the password will be stored.
"foobar" is the string to be encrypted and "the_secret" is the variable name storing the encrypted string.
ansible-vault encrypt_string --ask-vault-pass 'foobar' --name 'the_secret'
The output after creating the password:
ansible-vault encrypt_string --ask-vault-pass 'foobar' --name 'the_secret'
New Vault password:
Confirm New Vault password:
Encryption successful
the_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
38393063353031373232323439353737613736306630643565616132663538613436613962323636
6565323365623531313232383863356632303231376363640a306531323061323666333161336165
33363431386264643432336330343666623637306132366236313761336331366233353235323861
3334633466336365370a633732636236376161326461393735663332656261666131663565633166
How to run the playbook
Using a file as a password
ansible-playbook --vault-password-file /path/to/my/vault-password-file site.yml
Using --ask-vault-password
ansible-playbook --ask-vault-pass site.yml