Ansible Vault

Ansible Vault is a feature which allows user to encrypt values and data structures within Ansible projects. This provides the ability to secure any secrets or sensitive data that is necessary to run Ansible plays successfully but should not be publicly visible, such as private keys or passwords. Ansible automatically decrypts the vault-encrypted content at runtime when the key is provided.

To integrate these secrets with regular Ansible data, both the Ansible and Ansible-playbook commands, for executing ad hoc tasks and structured playbook respectively, have support for decrypting vault-encrypted content at runtime.

Ansible Vault is implemented with file-level granularity; it means files are either entirely encrypted or unencrypted. It uses the AES256 algorithm to provide symmetric encryption keyed to a user-supplied password.

This means the same password is used to encrypt and decrypt the content, which is helpful from a usability standpoint. Ansible can identify and decrypt any vault-encrypted files it finds while executing a task or playbook.

Though there is a proposal to change this, at the time of writing this, users can only pass in a single password to Ansible. It means that each of the encrypted files involved must share a password.

Using Ansible Vault

The simple use of the Ansible vault is to encrypt variables files. It can encrypt any YAML file, but the most common files to encrypt are:

• A role's defaults/ main.yml file
• A role's vars/main.yml file
• Files within the group_vars directory
• Any other file used to store variables

Encrypting an Existing File

You can encrypt a regular plaintext variable file by using the ansible vault and define the password that needed later to decrypt it.

The ansible-vault command will prompt you a password twice. After that, the file will be encrypted.

Creating an Encrypted File

To create an encrypted data file, use the ansible-vault to create command, and pass the filename.

You will be prompted to create a password and then confirm it by re-typing it.

Once your password is confirmed, a new file will be created and will open an editing a window. By default, the editor for Ansible vault is VI. You can add data, save it, and exit from it.

Editing Encrypted Files

If you want to edit the encrypted file, you can edit it using ansible-vault edit command. This command will decrypt the file to a temporary file and allow you to edit the file.

You will be prompted to insert the vault password. The decrypted file will open in a VI editor, and then you can make the required changes. Save the changes and removing the temporary file.

Rekeying Encrypted Files

If you want to change your password on a vault on a vault-encrypted file, you can do it by using the rekey command.

The above command can rekey multiple data files at once and ask for the original password and the new password.

Encrypting Unencrypted Files

If you have existing files which you want to encrypt, use the ansible-vault encrypt command. This command can operate on multiple files at once.

Decrypting Encrypted Files

If you have existing files that you no longer want to keep encrypted, you can decrypt them permanently by running the ansible-vault decrypt command. This command will save them unencrypted to the disk.

Viewing Encrypted Files

If you want to view the contents of an encrypted file without editing it, then you can use the ansible-vault view command.