Bootstrap

Ansible - ansible-vault encrypt_string command

by Jeremy Canfield | Updated: October 06 2022 | Ansible articles

The ansible-vault command can be used to perform a number of tasks.

ansible-vault create - create an encrypted file
ansible-vault decrypt - decrypt and encrypted file
ansible-vault edit - edit an encrypted file
ansible-vault encrypt - encrypt a non-encrypted file
ansible-vault encrypt_string - encrypt a string
ansible-vault rekey - change password used to view or decrypt an encrypted file
ansible-vault view - view the cleartext contents of an encryped file

Additionally, there are a few command line options to be aware of.

--ask-vault-pass - prompt for the vault password
--vault-id - use a specific users password in a file
--vault-password-file - use a single password in a file

The ansible-vault encrypt_string command creates an encrypted string. The encrypted string is stored as a key value pair. In this example, a key named "foo" is created, and value "bar" is encrypted.

ansible-vault encrypt_string 'bar' --name 'foo'

You will be prompted to create the vault password.

New Vault password:

Or, to avoid being prompted for the vault password, you could create a Vault Password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .

ansible-vault encrypt_string 'bar' --name 'foo' --vault-password-file /usr/local/vault/.vault_password.txt

Or the --vault-id command line option (if you want to use different passwords)

ansible-vault encrypt_string 'bar' --name 'foo' --vault-id test@/usr/local/ansible/vault/.vault_password.txt

After providing the valid vault password, something like this should be displayed.

foo: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36363439653836626337336232306464623531653330313661306133623432333832613666323464
          3435373066366662653064393035343266363131613034310a383934373338636564616232623264
          64336238306434663434396433313437386566386466336162373861353063646531616633613965
          3461326138313833610a393161646166303362343835613566386237663636646333323236333635
          3536
Encryption successful

Almost always, you are going to redirect the encrypted string to a file.

ansible-vault encrypt_string 'bar' --name 'foo' > foo.txt

foo.txt should contain the following.

foo: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36363439653836626337336232306464623531653330313661306133623432333832613666323464
          3435373066366662653064393035343266363131613034310a383934373338636564616232623264
          64336238306434663434396433313437386566386466336162373861353063646531616633613965
          3461326138313833610a393161646166303362343835613566386237663636646333323236333635
          3536

On the Linux command line, here is how you would decrypt the encrypted string.

echo -e '$ANSIBLE_VAULT;1.1;AES256\n36363439653836626337336232306464623531653330313661306133623432333832613666323464\n3435373066366662653064393035343266363131613034310a383934373338636564616232623264\n64336238306434663434396433313437386566386466336162373861353063646531616633613965\n3461326138313833610a393161646166303362343835613566386237663636646333323236333635\n3536' | ansible-vault decrypt

Which should return the following.

Decryption successful
bar

In a playbook, the set_fact module and the lookup plugin can be used to store the content of the file that contains the encrypted string (foo.txt in this example) in a variable ("foo" in this example).

- set_fact:
    foo: "{{ lookup('file', 'foo.txt') }}"

The debug module could be used to validate that the "foo" variable contains the encrypted string.

- name: "output the 'foo' variable"
  debug: 
    var: foo

Which should output something like this.

TASK [output the 'out' variable]
ok: [server1.example.com] => {
    "foo": "foo: !vault |\n          $ANSIBLE_VAULT;1.2;AES256;test\n          31393261616237373231363237633237373165393063383766643265623264356366303037363262\n          3764343537623566376235306562306633616333333361350a303563343938636236336466373366\n          34363363633261396466323234393162613137343737393366616630343561653433643935383536\n          6436323264653439360a333838383837333636323933306438613164346636383336616361623836\n          3066"
}

shell module could be used to invoke the ansible-vault command. In this example, the register parameter is used to store the output in the "out" variable. In this scenario, you most definitely are going to want to include the --vault-password-file or --vault-id option so that the script doesn't halt and prompt for the vault password.

- name: "ansible-vault view foo.txt"
  shell: "ansible-vault view --vault-id test@/usr/local/ansible/vault/.vault_password.txt foo.txt"
  register: out

The debug module could be used to validate that the "out" variable contains the plain text content of foo.txt.

- name: "output the 'out' variable"
  debug: 
    var: out

Which should output something like this.

TASK [output the 'out' variable]
ok: [server1.example.com] => {
    "msg": "Hello World"
}

Did you find this article helpful?

If so, consider buying me a coffee over at

Did you find this article helpful?

Comments

Add a Comment