Ansible Vault
Playbooks often contain sensitive data like passwords, API keys, or SSH private keys. Storing them in plain text is dangerous. Ansible Vault encrypts such data so you can safely store it in version control.
What Is Ansible Vault?
Vault is a feature that encrypts any YAML file (variables files, playbooks, etc.) using a password. Encrypted files can be stored publicly; only those with the password can decrypt them.
Ansible Vault keeps secrets encrypted at rest.
Creating an Encrypted File
Create a new encrypted file:
ansible-vault create secrets.ymlEncrypting an Existing File
Encrypt a plain text file:
ansible-vault encrypt vars.ymlViewing and Editing Encrypted Files
View the content:
ansible-vault view secrets.ymlansible-vault edit secrets.ymlUsing Encrypted Files in Playbooks
When you run a playbook that uses an encrypted file, provide the password. You have several options:
1. Prompt for password:
ansible-playbook site.yml --ask-vault-passansible-playbook site.yml --vault-password-file vault_pass.txtexport ANSIBLE_VAULT_PASSWORD_FILE=./vault_pass.txtIncluding Encrypted Variables in a Playbook
You can also encrypt individual variables using
ansible-vault encrypt_string. This is useful when you only need to encrypt a few values inside an otherwise plain file.ansible-vault encrypt_string 'mysecret' --name 'db_password'Two Minute Drill
- Ansible Vault encrypts secrets in YAML files.
- Commands:
create,encrypt,decrypt,view,edit. - Provide password at runtime with
--ask-vault-passor a password file. - Use
encrypt_stringfor single variable encryption.
Need more clarification?
Drop us an email at career@quipoinfotech.com