The ansible-vault command can be used to perform a number of tasks.
- ansible-vault create - create an encrypted file
- ansible-vault decrypt - decrypt and encrypted file
- ansible-vault edit - edit an encrypted file
- ansible-vault encrypt - encrypt a non-encrypted file
- ansible-vault encrypt_string - encrypt a string
- ansible-vault rekey - change password used to view or decrypt an encrypted file
- ansible-vault view - view the cleartext contents of an encryped file
Additionally, there are a few command line options to be aware of.
- --ask-vault-pass - prompt for the vault password
- --vault-id - use a specific users password in a file
- --vault-password-file - use a single password in a file
The ansible-vault decrypt command is used to decrypt a file that was encrypted by the ansible-vault command. Let's say vault.yml was encrypted by the ansbile-vault command.
Before decrypting the file, you'll want to determine if the file was encrypted using a certain vault id. In this example, the file was encrypted using the "test" id.
~]$ cat vault.yml
$ANSIBLE_VAULT;1.2;AES256;test
38626262613533326438383838363032346366643231633838393661633061633830383832643062
6666663233666435636165323038653462343732343264310a616532376238616537613832363565
63336561303230626332326436303830356335343061386333636131386435316633396464353832
3631303831333164610a393266346630313635313831626639303961663330333736393236373032
3062
The following command will decrypt the file.
ansible-vault decrypt vault.yml
You will be prompted to for the vault password.
Vault password:
Or, to avoid being prompted for the vault password, if the file is not associated with a vault id, the --vault-password-file command line option can be used.
ansible-vault decrypt --vault-password-file /usr/local/ansible/vault/.vault_password.txt vault.yml
If the file is associated with a vault id, the --vault-id command line option can be used.
ansible-vault decrypt --vault-id test@/usr/local/ansible/vault/.vault_password.txt vault.yml
Or you could set the vault_password_file directive in your ansible.cfg file.
[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt
In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass, --vault-password-file, --vault-id).
ansible-vault decrypt vault.yml
If the file was successful decrypted, the following will be displayed.
Decryption successful
Did you find this article helpful?
If so, consider buying me a coffee over at