The ansible-vault command can be used to perform a number of tasks.
Additionally, there are a few command line options to be aware of.
For example, let's say ping.yml is unencrypted. When unencrypted, ping.yml can be viewed using common commands, such as cat.
cat ping.yml
Let's say ping.yml contains the following.
---
- hosts: all
gather_facts: false
tasks:
- ping:
...
ping.yml can be invoked using the ansible-playbook command.
ansible-playbook ping.yml
Which should return something like this.
PLAY [all]
TASK [ping]
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]
PLAY RECAP
server1.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server2.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server3.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
The ansible-vault encrypt command can be used to encrypt ping.yml.
ansible-vault encrypt ping.yml
You will be prompted to create a new vault password.
New Vault password:
Attempting to view the file using a normal command such as cat will display something like this.
$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531
Now when running ping.yml using the ansible-playbook command, the --ask-vault-pass option can be used.
ansible-playbook ping.yml --ask-vault-pass
And you will be prompted for the vault password.
Vault password:
Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .
ansible-playbook ping.yml --vault-password-file /usr/local/vault/.vault_password.txt
Or the --vault-id command line option (if you want to use different passwords)
ansible-playbook ping.yml --vault-id test@/usr/local/ansible/vault/.vault_password.txt
Which should return something like this, which shows the same exact result with the encrypted ping.yml file as compared to the non-encrypted ping.yml file.
PLAY [all]
TASK [ping]
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]
PLAY RECAP
server1.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server2.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
server3.example.com : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0