Bootstrap

Ansible - ansible-vault encrypt command

by Jeremy Canfield | Updated: October 07 2022 | Ansible articles

The ansible-vault command can be used to perform a number of tasks.

ansible-vault create - create an encrypted file
ansible-vault decrypt - decrypt and encrypted file
ansible-vault edit - edit an encrypted file
ansible-vault encrypt - encrypt a non-encrypted file
ansible-vault encrypt_string - encrypt a string
ansible-vault rekey - change password used to view or decrypt an encrypted file
ansible-vault view - view the cleartext contents of an encryped file

Additionally, there are a few command line options to be aware of.

--ask-vault-pass - prompt for the vault password
--vault-id - use a specific users password in a file
--vault-password-file - use a single password in a file

The ansible-vault encrypt command can be used to encrypt a non-encrypted file. For example, let's say ping.yml is unencrypted. When unencrypted, ping.yml can be viewed using common commands, such as cat.

cat ping.yml

Let's say ping.yml contains the following.

---
- hosts: all
  gather_facts: false
  tasks:
    - ping:
...

ping.yml can be invoked using the ansible-playbook command.

ansible-playbook ping.yml

Which should return something like this.

PLAY [all] 

TASK [ping] 
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]

PLAY RECAP 
server1.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server2.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server3.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

The ansible-vault encrypt command can be used to encrypt ping.yml.

ansible-vault encrypt ping.yml

You will be prompted to create a new vault password.

New Vault password:

Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .

ansible-vault encrypt --vault-password-file /usr/local/vault/.vault_password.txt ping.yml

Or the --vault-id command line option (if you want to use different passwords)

ansible-vault encrypt --vault-id test@/usr/local/ansible/vault/.vault_password.txt ping.yml

On a Linux system, ping.yml could have the following owner and permissions. In this example, only john.doe can read and write to foo.txt.

-rw-------. 1 john.doe john.doe  355 Mar 16 18:48 ping.yml

Attempting to view the file using a normal command such as cat will display something like this.

$ANSIBLE_VAULT;1.1;AES256
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

If the file was encrypted with a vault id, the vault id (test in this example) will be included.

$ANSIBLE_VAULT;1.1;AES256;test
66303833643731313633343266616162613965636161313534376563383639646463376630626635
3136316663626536303061333531303234616562323637330a373633393736393863373566623261
65643764336263613730666665663763383063386137383331386136366232666637626566653032
3933393061666138650a656238386665343838613833643435623932306539633138376533613039
6531

Now when running ping.yml using the ansible-playbook command, the --ask-vault-pass option can be used.

ansible-playbook ping.yml --ask-vault-pass

And you will be prompted for the vault password.

Vault password:

ansible-playbook ping.yml --vault-password-file /usr/local/ansible/vault/.vault_password.txt

Or the --vault-id command line option (if you want to use different passwords)

ansible-playbook ping.yml --vault-id test@/usr/local/ansible/vault/.vault_password.txt

Or you could set the vault_password_file directive in your ansible.cfg file.

[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt

In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass, --vault-password-file, --vault-id).

ansible-playbook example.yml

Which should return something like this, which shows the same exact result with the encrypted ping.yml file as compared to the non-encrypted ping.yml file.


PLAY [all] 

TASK [ping] 
ok: [server1.example.com]
ok: [server2.example.com]
ok: [server3.example.com]

PLAY RECAP 
server1.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server2.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
server3.example.com      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Did you find this article helpful?

If so, consider buying me a coffee over at

Did you find this article helpful?

Comments

Add a Comment