Ansible Vault Basics

Linux Logo

Ansible Vault Basics

Recommended: use
no_log: true
In the playbook to prevent sensitive information from appearing in verbose output and logs.

Encryption with Ansible Vault ONLY protects ‘data at rest’. Once the content is decrypted (‘data in use’) it is no longer encrypted.

Encrypt File

Encrypt an already existing file. Will be prompted for password.

ansible-vault encrypt file.txt

Encrypt an already existing file. Password provided via vault password file.

ansible-vault encrypt file.txt --vault-password-file ~/.ansible_vault_key

Create and encrypt a new file (Will open in a text editor)

ansible-vault create vault.yml
New Vault password:
Confirm Vault password:

Edit Encrypted File

Get Prompted for the password

ansible-vault edit file.txt

Provide password via a file

ansible-vault edit file.txt --vault-password-file ~/.ansible_vault_key
Vault password:

View Encrypted File

Prompt for password

ansible-vault view file.txt

Provide password via a file

ansible-vault view file.txt --vault-password-file ~/.ansible_vault_key




Decrypt File

ansible-vault decrypt file.txt
Vault password:
Decryption successful

Encrypt String

ansible-vault encrypt_string 'this text is secret' --name secert_var
New Vault password:
Confirem Vault password:
...
Encryption sucessful
ansible-vault encrypt_string 'this text is secret' --name secert_var --vault-id prod@prompt

Decrypt String

Decrypt

Create Password File

echo "password" > vault.txt
chmod 600 vault.txt

Prompt for password

Run Playbook

ansible-vault playbook.yml --vault-id prod@prompt

Password stored plain text vault file

ansible-playbook --vault-password-file vault.txt playbook.yml

Password stored in vault file

ansible-vault playbook.yml --vault-id prod@vault
  • https://docs.ansible.com/ansible/latest/cli/ansible-vault.html
  • https://docs.ansible.com/ansible/latest/user_guide/vault.html