Ansible password vault uses

Ansible password vault uses

Instead of storing keys, passwords, environment and more in plain text here it comes Ansible Vault which is a great feature to use when you need to keep sensitive data encrypted such as pushing your keys to a remote repository.

There are several ways to encrypt your sensitive data using Ansible Vault some of them are:

  • Encrypting files
  • Encrypting strings with a password file
  • Encrypting string with ask-vault-password

Encrypting files

Ansible Vault can encrypt any structured fata file such as group-vars and/or host_vars inventory variables.

How to create an encrypted file?

ansible-vault create hello.yml

It will prompt you a new password vault which you should keep it safe. The file will be opened using your default editor and after after saving the file you will be able to see the encrypted file:

cat hello.yml

To edit the encrypted file

ansible-vault edit hello.yml

It will open in your default text editor in plain text and will be encrypted after closing the file.

Encrypting a string with a password file

As an example, create a file called "myPasswordFile" and put a any password you want inside that file. This file will be used to encrypt your secrets.

To encrypt a single string use the command below. The name of the variable would be in this case "the_secret" the string to be encrypted would be "foobar".

ansible-vault encrypt_string --vault-password-file MyPasswordFile 'foobar' --name 'the_secret'

The output is the following:

ansible-vault encrypt_string --vault-password-file password 'foobar' --name 'the_secret'
Encryption successful
the_secret: !vault |

Encrypting a string with ask-password-vault

Ansible --ask-password-vault allows you to enter the password as standard in so your password is not store in any files at all, but you are responsable where the password will be stored.

"foobar" is the string to be encrypted and "the_secret" is the variable name storing the encrypted string.

ansible-vault encrypt_string --ask-vault-pass 'foobar' --name 'the_secret'

The output after creating the password:

ansible-vault encrypt_string --ask-vault-pass 'foobar' --name 'the_secret'
New Vault password: 
Confirm New Vault password: 
Encryption successful
the_secret: !vault |

How to run the playbook

Using a file as a password

ansible-playbook --vault-password-file /path/to/my/vault-password-file site.yml

Using --ask-vault-password

ansible-playbook --ask-vault-pass site.yml


Collect recurring payments with Subscribie - Try Now