Ansible Vault can encrypt anything inside of a YAML file, using a password of your choice which secures your sensible data such as passwords or keys. Ansible vault is mainly used for encrypting variable files and it can encrypt any YAML file.
Most common files to encrypt are:
- A role’s defaults/main.yml file
- A role’s vars/main.yml file
- Files within the group_vars directory
- Any other file used to store variables.
Creating Encrypted Files.
To create a new encrypted data file using ansible,
[root@ansible vault]# ansible-vault create sample.yml
New Vault password:
Confirm New Vault password:
[root@ansible vault]#
The ansible-vault command will ask you for a new password twice.
Encrypted files look like below code,
[root@ansible vault]# cat sample.yml
$ANSIBLE_VAULT;1.1;AES256
34633862393363633630643337343263393762313531386263653935623139303839666362313961
3233356336343366383766363563303035386233393833390a393733303062653830373562396233
65633663346662336462333838333262333836396631373064636636306230623132353163383330
3165333737636363660a386438306662643135643937643264636461633035656231336435393565
30343832393839666532353835646139353565326363626332616132613538353566323838643737
3833303431656239303564633164323766393266383530663332
[root@ansible vault]#
Encrypting an Existing File.
Using ansible-vault, we can ecrypt an existing file.
[root@ansible vault]# ansible-vault encrypt test.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[root@ansible vault]#
Editing an encrypted file.
Once you have encrypted a file then the only way to edit the same file is by using code,
[root@ansible vault]# ansible-vault edit test.yml
Vault password:
[root@ansible vault]#
Decrypting a File
You can decrypt an encrypted file for getting back the plain text format as well:
[root@ansible vault]# ansible-vault decrypt test.yml
Vault password:
Decryption successful
[root@ansible vault]#
Encrypting Variables specifically.
Opening an encrypted file will change the encrypted hash. Since you dont have to encrypt a whole file.openticket
[root@ansible vault]# ansible-vault encrypt_string 'sample plaintext string' --name 'new_string'
New Vault password:
Confirm New Vault password:
new_string: !vault |
$ANSIBLE_VAULT;1.1;AES256
34373730663434346533623339666164623866393563383930363935626661333137303963356230
6436636563303736353139333631356532623366373934310a383038643130646332366136646439
65366565316238363631623436643536306533393165346133393738623235356663613134313530
6234343139656166640a663435636137333465303938616233343162303263663537313263663034
31373661313763653734633164356631313166323139646338363338636139363237
Encryption successful
[root@ansible vault]#
You can paste the output or append into an existing YAML file for use this string
Running Ansible with Encrypted Variables.
At the time when your playbooks reference encrypted variables, then you may need to specify to Ansible the password.
[root@ansible vault]# ansible-playbook --ask-vault-pass -i inventory_file test.yml
Vault password:
–ask-vault-pass will instruct Ansible to ask vault password .
Also you can do store vault password on file and instruct to Ansible via code
[root@ansible vault]# cat > vault_password
Enter_password
Save and exit
Then run the below command,
[root@ansible vault]# ansible-vault --vault-password-file=vault_password test.yml