Secrets

Ansible Vault can be used to encrypt and decrypt any structured data file used by Ansible, using a command-line tool named ansible-vault.

Creating and Editing Encrypted Files

Create a new encrypted file using the ansible-vault create filename command.

Example:

ansible-vault create secret.yml
New Vault password: password
Confirm New Vault password: password

You can also use a vault password file to store the vault password, being careful to protect this file permissions etc.

Example:

ansible-vault create --vault-password-file=vault-pass secret.yml

You can use the ansible-vault view filename command to view an Ansible Vault-encrypted file.

You can use the ansible-vault edit filename command to edit existing encrypted files.

You can use the ansible-vault encrypt filename command to encrypt existing files.

Decrypting an Existing File

An existing encrypted file can be permanently decrypted by using the ansible-vault decrypt filename command.

Example:

ansible-vault decrypt secret.yml --output=secret-decrypted.yml

Changing the Password

You can use the ansible-vault rekey filename command to change the password of an encrypted file.

Playbooks and Ansible Vault

To run a playbook that accesses files encrypted with Ansible Vault, you need to provide the encryption password to the ansible-playbook command.

Example:

ansible-playbook --vault-id @prompt playbook.yml
Vault password (default): password

Or you can use the --vault-password-file option to specify a file that stores the encryption password in plain text.

Example:

ansible-playbook --vault-password-file=vault-pw-file playbook.yml

You can also use the ANSIBLE_VAULT_PASSWORD_FILE environment variable to specify the default location of the password file.

Best Practice

.
├── ansible.cfg
├── group_vars
│   └── webservers
│       └── vars
├── host_vars
│   └── server.example.com
│       ├── vars
│       └── vault
├── inventory
└── playbook.yml