Ansible password vault uses

Instead of storing keys, passwords, environment and more in plain text here it comes Ansible Vault which is a great feature to use when you need to keep sensitive data encrypted such as pushing your keys to a remote repository.

There are several ways to encrypt your sensitive data using Ansible Vault some of them are:

  • Encrypting files
  • Encrypting strings with a password file
  • Encrypting string with ask-vault-password

Encrypting files

Ansible Vault can encrypt any structured fata file such as group-vars and/or host_vars inventory variables.

How to create an encrypted file?

ansible-vault create hello.yml

It will prompt you a new password vault which you should keep it safe. The file will be opened using your default editor and after after saving the file you will be able to see the encrypted file:

cat hello.yml
$ANSIBLE_VAULT;1.1;AES256323161626162363538303632333938386237333433353165323234643135326634306665663464363035633733353833353664333632623662353437653363310a613461666530356130386534323963393036663637633938643863616239373139366664643033646362363036313163663163623932383335633364643061330a613866346431643538386431356330323334323666653361313862376234636261303063353266333738623763313230303936353336623161623161666230386133333537303739636231386337323261313164383130396136373932373566

To edit the encrypted file

ansible-vault edit hello.yml

It will open in your default text editor in plain text and will be encrypted after closing the file.

Encrypting a string with a password file

As an example, create a file called "myPasswordFile" and put a any password you want inside that file. This file will be used to encrypt your secrets.

To encrypt a single string use the command below. The name of the variable would be in this case "the_secret" the string to be encrypted would be "foobar".

ansible-vault encrypt_string --vault-password-file MyPasswordFile 'foobar' --name 'the_secret'

The output is the following:

ansible-vault encrypt_string --vault-password-file password 'foobar' --name 'the_secret'
Encryption successful
the_secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          64346131343763356138666432346434313965393537653435653034643738333436303031623236
          3735343431333362393438356361313730376464373134620a633434373634666463316164323233
          32333335393239396435313435366432613862366461313661383961363465326235363963333063
          3236383962646134640a333336316338626463363431363462333434363261303338636365306235

Encrypting a string with ask-password-vault

Ansible --ask-password-vault allows you to enter the password as standard in so your password is not store in any files at all, but you are responsable where the password will be stored.

"foobar" is the string to be encrypted and "the_secret" is the variable name storing the encrypted string.

ansible-vault encrypt_string --ask-vault-pass 'foobar' --name 'the_secret'

The output after creating the password:

ansible-vault encrypt_string --ask-vault-pass 'foobar' --name 'the_secret'
New Vault password: 
Confirm New Vault password: 
Encryption successful
the_secret: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          38393063353031373232323439353737613736306630643565616132663538613436613962323636
          6565323365623531313232383863356632303231376363640a306531323061323666333161336165
          33363431386264643432336330343666623637306132366236313761336331366233353235323861
          3334633466336365370a633732636236376161326461393735663332656261666131663565633166

How to run the playbook

Using a file as a password

ansible-playbook --vault-password-file /path/to/my/vault-password-file site.yml

Using --ask-vault-password

ansible-playbook --ask-vault-pass site.yml

Reference
https://docs.ansible.com/ansible/2.8/user_guide/vault.html#id6