How to Use Ansible Vault in Playbooks to Protect Sensitive Data – Part 10

As you go about using Ansible, you may be required to key in some confidential or secret information in playbooks. This includes SSH private and public keys, passwords, and SSL certificates to mention just a few. As we already know, its bad practice to save this sensitive information in plain text for obvious reasons. This information requires to be kept under lock and key because we can only imagine what would happen if hackers or unauthorized users got a hold of it.

Thankfully, Ansible provides us with a handy feature known as Ansible Vault. As the name suggests, the Ansible Vault helps secure vital secret information as we have discussed earlier. Ansible Vault can encrypt variables, or even entire files and YAML playbooks as we shall later demonstrate. It’s a very handy and user-friendly tool that requires the same password when encrypting and decrypting files.

Let’s now dive in and have an overview of the various operations that can be carried out using Ansible vault.

How to Create an Encrypted File in Ansible

If you want to create an encrypted Playbook file simply use the ansible-vault create command and provide the filename as shown.

# ansible-vault create filename

For example, to create an encrypted file mysecrets.yml execute the command.

# ansible-vault create mysecrets.yml

You will thereafter be prompted for a password, and after confirming it, a new window will open using the vi editor where you can begin writing your plays.

Create an Encrypted File in Ansible
Create an Encrypted File in Ansible

Below is a sample of some information. Once you are done simply save and exit the playbook. And that’s just about it when creating an encrypted file.

Encrypted File in Ansible
Encrypted File in Ansible

To verify the file encryption, use the cat command as shown.

# cat mysecrets.yml
Verify Encrypted File in Ansible
Verify Encrypted File in Ansible

How to View an Encrypted File in Ansible

If you want to view an encrypted file, simply pass the ansible-vault view command as shown below.

# ansible-vault view mysecrets.yml

Once again, you will be prompted for a password. Once again, you will have access to your information.

View Encrypted File in Ansible
View Encrypted File in Ansible

How to Edit an Encrypted File in Ansible

To make changes to an encrypted file use the ansible-vault edit command as shown.

# ansible-vault edit mysecrets.yml

As always, provide the password and thereafter proceed editing the file.

Edit Encrypted File in Ansible
Edit Encrypted File in Ansible

After you are done editing, save and exit the vim editor.

How to Change Ansible Vault Password

In case you feel the need to change the Ansible vault password, you can easily do so using the ansible-vault rekey command as shown below.

# ansible-vault rekey mysecrets.yml
Change Ansible Vault Password
Change Ansible Vault Password

This prompts you for the vault password and later requests you to enter the new password and later confirm it.

How to Encrypt an Unencrypted File in Ansible

Suppose you want to encrypt an unencrypted file, you can do so by running the ansible-vault encrypt command as shown.

# ansible-vault encrypt classified.txt
Encrypt an Unencrypted File
Encrypt an Unencrypted File

You can later view the file using the cat command as indicated below.

View Encrypted File
View Encrypted File

How to Decrypt an Encrypted File

To view the contents of an encrypted file, simply decrypt the file using the ansible-vault encrypt as illustrated in the example below.

# ansible-vault decrypt classified.txt
Decrypt an Encrypted File
Decrypt an Encrypted File

How to Encrypt Specific Variables in Ansible

Additionally, Ansible vault grants you the ability to encrypt certain variables. This is done using the ansible-vault encrypt_string command as shown.

# ansible-vault encrypt_string 
Encrypted Specific Variables in Ansible
Encrypted Specific Variables in Ansible

Ansible vault will prompt you for the password and later require you to confirm it. Next, type the string value that you want to encrypt. Finally, press ctrl + d. Thereafter, you can begin assigning the encrypted value in a playbook.

This can be achieved in a single line as shown below.

# ansible-vault encrypt_string 'string' --name 'variable_name'
Assign Encrypted Value in Ansible Playbook
Assign Encrypted Value in Ansible Playbook

How to Decrypt a Playbook File During Runtime

If you have a playbook file and want to decrypt it during runtime, use the --ask-vault-pass option as illustrated.

# ansible-playbook deploy.yml --ask-vault-pass
Decrypt Playbook File During Runtime
Decrypt Playbook File During Runtime

This decrypts all the files that are used in the playbook provided that they were encrypted using the same password.

The password prompts can be annoying at times. These prompts make automation untenable, especially when automation is key. To streamline the process of decrypting playbooks during runtime, it’s recommended to have a separate password file that contains the Ansible vault password. This file can then be passed during runtime as shown.

# ansible-playbook deploy.yml --vault-password-file  /home/tecmint/vault_pass.txt

This brings us to the conclusion of this topic and the Ansible automation series. We hope that the tutorials have infused some useful knowledge on how you can automate tasks across multiple servers from one central system.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

James Kiarie
This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.