ansible-vault is a command-line tool which is part of Ansible.
It is specifically designed to help you encrypt sensitive data
within your Ansible playbooks and inventory files, ensuring
that your sensitive information remains secure and safe.
Ansible vault does not implement its own cryptographic
functions instead it uses a external python toolkit.
Below are some points for ansible-vault.
1. ansible-vault allows you to encrypt some sensitive data such
as passwords, API keys, and other secrets. This means that the
same encryption key is used to both encrypt and decrypt the
data.
2. Encrypted Files: ansible-vault encrypt a file and creates a
new version of the file with the encrypted content. The
original file remains unchanged.
3. Vault Password: To encrypt or decrypt data using
ansible-vault, you need a vault password. This password is
required whenever you want to work with encrypted data.
You can provide this password interactively or through a file.
It can be needed when you run playbook.
Examples:
1. Creating an Encrypted File:
Let's say you have a file named secrets.yml which contains
sensitive data:
yaml
db_password: mysecretpassword
api_key: myapikey
Now encrypt this file using the following command:
# ansible-vault encrypt secrets.yml
This will prompt you to enter and confirm the vault password.
Once entered, the secrets.yml file will be encrypted.
2. Now go for editing an Encrypted File:
To edit the encrypted file, you can use the ansible-vault edit
command again:
# ansible-vault edit secrets.yml
This will decrypt the file, allowing you to make changes.
Once you save and exit the editor, the file will be
re-encrypted.
3. Running Ansible Playbooks with Encrypted Data:
Suppose you have an Ansible playbook named playbook.yml that
uses the encrypted secrets.yml file:
yaml
---
- name: Example playbook
hosts: testing
tasks:
- name: Include encrypted vars
include_vars: secrets.yml
- name: Display secrets
debug:
var: db_password
You can run the playbook using the following command:
# ansible-playbook playbook.yml --ask-vault-pass
This will prompt you to enter the vault password to decrypt
the secrets.yml file before running the playbook.
4. Encrypting Strings:
You can also encrypt individual strings directly from the
command line:
# ansible-vault encrypt_string 'mysecretpassword' --name 'db_password'
This command will output an encrypted string that you can
include in your playbooks.
Some commands to show usage of ansible-vault command.
# ansible-vault create secrets.yml (To create a nee valut password)
# ansible-vault create --vault-password-file=vault-pass secret.yml (Using a vault password file to store vault password)
# ansible-vault view secret.yml (To view an encrypted file)
# ansible-vault edit secret.yml (To edir an encrypted file)
# ansible-vault rekey secret.yml (Changing password of an encrypted file)
# ansible-playbook --ask-vault-pass playbook.yml (To run an encrypted plabook)