Ansible Vault Basics
Recommended: use
no_log: true
In the playbook to prevent sensitive information from appearing in verbose output and logs.
Encryption with Ansible Vault ONLY protects ‘data at rest’. Once the content is decrypted (‘data in use’) it is no longer encrypted.
- Encrypt File
- Edit Encrypted File
- View Encrypted File
- Decrypt File
- Encrypt String
- Decrypt String
- Create Password File
- Run-Playbook
- Related
- Links
Encrypt File
Encrypt an already existing file. Will be prompted for password.
ansible-vault encrypt file.txtEncrypt an already existing file. Password provided via vault password file.
ansible-vault encrypt file.txt --vault-password-file ~/.ansible_vault_keyCreate and encrypt a new file (Will open in a text editor)
ansible-vault create vault.ymlNew Vault password: Confirm Vault password:
Edit Encrypted File
Get Prompted for the password
ansible-vault edit file.txtProvide password via a file
ansible-vault edit file.txt --vault-password-file ~/.ansible_vault_keyVault password:
View Encrypted File
Prompt for password
ansible-vault view file.txtProvide password via a file
ansible-vault view file.txt --vault-password-file ~/.ansible_vault_keyDecrypt File
ansible-vault decrypt file.txtVault password: Decryption successful
Encrypt String
ansible-vault encrypt_string 'this text is secret' --name secert_varNew Vault password: Confirem Vault password: ... Encryption sucessful
ansible-vault encrypt_string 'this text is secret' --name secert_var --vault-id prod@promptDecrypt String
Decrypt
Create Password File
echo "password" > vault.txtchmod 600 vault.txtPrompt for password
Run Playbook
ansible-vault playbook.yml --vault-id prod@promptPassword stored plain text vault file
ansible-playbook --vault-password-file vault.txt playbook.ymlPassword stored in vault file
ansible-vault playbook.yml --vault-id prod@vaultRelated
Links
- https://docs.ansible.com/ansible/latest/cli/ansible-vault.html
- https://docs.ansible.com/ansible/latest/user_guide/vault.html