Ansible Vault

All files are in plaintext, but you can use the ansible-vault command to encrypt files or strings. This way you can store passwords and other sensitive information in a single file without making it readable to others. It is also possible to use the ansible-vault command to decrypt files or strings if the password is known.

Warning

Ansible Vault used symmetric encryption, so the same password used to encrypt a file will need to be used to decrypt it. Don not share any secrets in a public repository that can be accessed by anyone as these files can be decrypted by anyone with a brute force attack.

Ansible Vault is part of Ansible Core and can be used on every Ansible server. It is not necessary to install Ansible Vault on your servers to use Ansible. With the command ansible-vault, you can encrypt and decrypt files and strings.

Check if Ansible Vault is installed
(venv) $ ansible-vault --version

ansible-vault [core 2.12.4]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/workspace/mastering-linux.com/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /workspace/mastering-linux.com/venv/lib64/python3.10/site-packages/ansible
  ansible collection location = /workspace/mastering-linux.com/.ansible/collections:/usr/share/ansible/collections
  executable location = /workspace/mastering-linux.com/venv/bin/ansible
  python version = 3.10.4 (main, Mar 25 2022, 00:00:00) [GCC 11.2.1 20220127 (Red Hat 11.2.1-9)]
  jinja version = 3.1.1
  libyaml = True

Note

The password used in all examples are or cangetin or Cangetin when specified.

Create an Ansible Vault

Creating an Ansible Vault is as simple as running the ansible-vault command with the option create and the location of the file. During the creation the password to encrypt the file with is prompted. Afterwards the file is encrypted and can not be ready without the password.

Creating a new vaulted file
(venv) $ ansible-vault create files/secure.yml
New Vault password:
Confirm New Vault password:
$ cat files/secure.yml
$ANSIBLE_VAULT;1.1;AES256
36333161616235333136343139613665396237323835636232376234613931633535363064333735
3935643466663437633635623438376164313131343032610a396439393865353932633635646234
39373735373561626234653738393130353166663666636436643862333337383762373634636535
3232323938323863650a333838313534386565663830306166656139333030343230656466343137
65303162383765356564613238633766313233376135353030316265663265613363

As the file is encrypted, it can not be read without the password. With the command ansible-vault, you can decrypt the file to be shown in the console when the option view is used.

Viewing the vaulted file
(venv) $ ansible-vault view files/secure.yml
Vault password:
Secret content!!!

Changing the content of an encrypted file can be done with the command ansible-vault with the option edit and the location of the file. The unencrypted file can be edited and then encrypted again with the password without any additional commands.

Changing a vaulted file
(venv) $ ansible-vault edit files/secure.yml

Warning

While the file is edited, the content of the file is stored in a temporary file that can be read without any password.

Key management for vaults

Change the password and trying the old and new password
(venv) $ ansible-vault rekey files/secure.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
(venv) $ ansible-vault view files/secure.yml
Vault password:
ERROR! Decryption failed (no vault secrets were found that could decrypt) on files/secure.yml for files/secure.yml
(venv) $ ansible-vault view files/secure.yml
Vault password:
Secret content!!!

Vault existing files

Encrypting an existing file
(venv) $ ansible-vault encrypt vars/variables.yml
New Vault password:
Confirm New Vault password:
Encryption successful
Decrypting a vaulted file
(venv) $ ansible-vault decrypt vars/variables.yml
Vault password:
Decryption successful

Working with vaulted variables

Encrypting a string for variable usage
(venv) $ ansible-vault encrypt_string 'my secret string'
New Vault password:
Confirm New Vault password:
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          36633661396437373864363031353635363537313966653734666230636262393964336565356138
          6439303332333065626437326633633239333338393032620a316637323836363563313834386530
          37376661303236373065646334653261393461326332396162336437616439303961336663653363
          6333663736353363300a646565313966386562623532353537646461373862663466373637393236
          63313266386435653533323837626163383931353134386337303339643739663438
Example playbook with a vaulted variable
---
- name: Play One
  hosts: all
  tasks:
    - name: Set secret
      dummy:
        key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36633661396437373864363031353635363537313966653734666230636262393964336565356138
          6439303332333065626437326633633239333338393032620a316637323836363563313834386530
          37376661303236373065646334653261393461326332396162336437616439303961336663653363
          6333663736353363300a646565313966386562623532353537646461373862663466373637393236
          63313266386435653533323837626163383931353134386337303339643739663438

Running a vaulted playbook

Ask for the password on the command-line
(venv) $ ansible site.yml --ask-vault-password
Vault password:
Define the password in a file
(venv) $ ansible site.yml --ask-vault-password --vault-password-file=vault_pass.txt