The ansible vaultĀ allows file encryption and requires a password to unencrypt
Command: ansible-vault encrypt <file>
The ansible-vault rekey command will allow you to re–encrypt a file and reset the password
To supply the vault password during play execution, you must use either of the –ask-vault-password or –ask-vault-file flags
Ansible 2.4 introduces the –vault-id feature
It is possible to set no_log within a module to censor sensitive log output
Ansible Vault can be used to encrypt any structured data file used by Ansible:
- Variable files in group_vars and host_vars directories
- Variable files loaded by include_vars and vars_files in playbooks
- Variable files passed on the command line using -e @var_file.yml
- Can also be used to encrypt individual variables inside a YAML file using !vault tag
Passwords Encryptions:
echo “This is secret file” > secret.txt
cat secret.txt
ansible-vault encrypt secret.txt
cat secret.txt
ansible-vault edit secret.txt
ansible-vault view secret.txt (Password)
ansible-vault decrypt secret.txt
ansible-vault encrypt_string “The answer is 42” -n meaning
ansible-vault encrypt_string “The answer is 42” -n meaning –vault-id dev@prompt
Files Encryptions:
Create an encrypted file: ansible-vault create file.yml
Create an encrypted file with a vault ID: ansible-vault create –vault-id label@source file.yml
Edit an encryped file: ansible-vault edit file.yml
Edit an encryped file with vauld ID: ansible-vault edit –vault-id label@source file1.yml file2.yml
Rekey encrypted files: ansible-vault rekey file1.yml file2.yml
Rekey encrypted files with vauld ID: ansible-vault rekey –vault-id label@source file1.yml file2.yml
View the encrypted files: ansible-vault view file.yml
Encrypt a string to be used as a variable in YAML files: ansible-vault encrypt_string –ask-vault-pass ‘string_value’ –name ‘secret_var’