How to Use Ansible Vault in Playbooks to Protect Sensitive Data – Part 10

As you go about using Ansible, you may be required to key in some confidential or secret information in playbooks. This includes SSH private and public keys, passwords, and SSL certificates to mention just a few. As we already know, its bad practice to save this sensitive information in plain text for obvious reasons. This information requires to be kept under lock and key because we can only imagine what would happen if hackers or unauthorized users got a hold of it.

Thankfully, Ansible provides us with a handy feature known as Ansible Vault. As the name suggests, the Ansible Vault helps secure vital secret information as we have discussed earlier. Ansible Vault can encrypt variables, or even entire files and YAML playbooks as we shall later demonstrate. It’s a very handy and user-friendly tool that requires the same password when encrypting and decrypting files.

Let’s now dive in and have an overview of the various operations that can be carried out using Ansible vault.

How to Create an Encrypted File in Ansible

If you want to create an encrypted Playbook file simply use the ansible-vault create command and provide the filename as shown.

# ansible-vault create filename

For example, to create an encrypted file mysecrets.yml execute the command.

# ansible-vault create mysecrets.yml

You will thereafter be prompted for a password, and after confirming it, a new window will open using the vi editor where you can begin writing your plays.

Create an Encrypted File in Ansible

Create an Encrypted File in Ansible

Below is a sample of some information. Once you are done simply save and exit the playbook. And that’s just about it when creating an encrypted file.

Encrypted File in Ansible

Encrypted File in Ansible

To verify the file encryption, use the cat command as shown.

# cat mysecrets.yml
Verify Encrypted File in Ansible

Verify Encrypted File in Ansible

How to View an Encrypted File in Ansible

If you want to view an encrypted file, simply pass the ansible-vault view command as shown below.

# ansible-vault view mysecrets.yml

Once again, you will be prompted for a password. Once again, you will have access to your information.

View Encrypted File in Ansible

View Encrypted File in Ansible

How to Edit an Encrypted File in Ansible

To make changes to an encrypted file use the ansible-vault edit command as shown.

# ansible-vault edit mysecrets.yml

As always, provide the password and thereafter proceed editing the file.

Edit Encrypted File in Ansible

Edit Encrypted File in Ansible

After you are done editing, save and exit the vim editor.

How to Change Ansible Vault Password

In case you feel the need to change the Ansible vault password, you can easily do so using the ansible-vault rekey command as shown below.

# ansible-vault rekey mysecrets.yml
Change Ansible Vault Password

Change Ansible Vault Password

This prompts you for the vault password and later requests you to enter the new password and later confirm it.

How to Encrypt an Unencrypted File in Ansible

Suppose you want to encrypt an unencrypted file, you can do so by running the ansible-vault encrypt command as shown.

# ansible-vault encrypt classified.txt
Encrypt an Unencrypted File

Encrypt an Unencrypted File

You can later view the file using the cat command as indicated below.

View Encrypted File

View Encrypted File

How to Decrypt an Encrypted File

To view the contents of an encrypted file, simply decrypt the file using the ansible-vault encrypt as illustrated in the example below.

# ansible-vault decrypt classified.txt
Decrypt an Encrypted File

Decrypt an Encrypted File

How to Encrypt Specific Variables in Ansible

Additionally, Ansible vault grants you the ability to encrypt certain variables. This is done using the ansible-vault encrypt_string command as shown.

# ansible-vault encrypt_string 
Encrypted Specific Variables in Ansible

Encrypted Specific Variables in Ansible

Ansible vault will prompt you for the password and later require you to confirm it. Next, type the string value that you want to encrypt. Finally, press ctrl + d. Thereafter, you can begin assigning the encrypted value in a playbook.

This can be achieved in a single line as shown below.

# ansible-vault encrypt_string 'string' --name 'variable_name'
Assign Encrypted Value in Ansible Playbook

Assign Encrypted Value in Ansible Playbook

How to Decrypt a Playbook File During Runtime

If you have a playbook file and want to decrypt it during runtime, use the --ask-vault-pass option as illustrated.

# ansible-playbook deploy.yml --ask-vault-pass
Decrypt Playbook File During Runtime

Decrypt Playbook File During Runtime

This decrypts all the files that are used in the playbook provided that they were encrypted using the same password.

The password prompts can be annoying at times. These prompts make automation untenable, especially when automation is key. To streamline the process of decrypting playbooks during runtime, it’s recommended to have a separate password file that contains the Ansible vault password. This file can then be passed during runtime as shown.

# ansible-playbook deploy.yml --vault-password-file  /home/tecmint/vault_pass.txt

This brings us to the conclusion of this topic and the Ansible automation series. We hope that the tutorials have infused some useful knowledge on how you can automate tasks across multiple servers from one central system.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

James Kiarie

This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide
The Complete Linux System Administrator Bundle
Become an Ethical Hacker Bonus Bundle

You may also like...

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.