Ansible automation is sometimes needed to store some sensitive information such as user credentials, security, or API keys to configure managed hosts, keeping these passwords or other sensitive information in plain text files is a disaster if it can go into the wrong hands. This poses an obvious security risk. But we have an Ansible vault, which comes with Ansible, which can encrypt and decrypt your data. This article will help you know how Ansible Vault encrypts and decrypts strings or information in inventory, playbook as a variable, or in text file as well.

We can encrypt and decrypt variables in inventory and playbook variable files password as a command line argument or defined in ansible roles as well.

Encrypting Strings with Ansible Vault

Encrypting string through Ansible Vault is a simple process but we have two scenarios: You already have a variable file or a string file that you want to encrypt or You have to create from starting and insert a variable and encrypt it. First, we will look at creating variable files from starting.

1. Encrypted through Create a Vault File

ansible-vault create filename command will create a new encrypted file, when we run this command then it prompts us to set the password and it opens like in the vi editor.

[devops@controlnode ~]$ ansible-vault create credentials.yml
New Vault password: complex_password
Confirm New Vault password: complex_password

In the editor, insert your variable or sensitive information into the file, and save the changes to the Vault file. Below is a screenshot showing an example of creating an encrypted file using Ansible Vault. By using the ansible-vault view command, you can see the encrypted variable. Don’t forget to provide the encryption password when prompted.

Ansible Vault  Create Encrypted File

2. Existing File Encrypting

Generally, we already have a variable file or an existing file that we want to encrypt to protect sensitive information. The command below can be used to encrypt the file by providing its name as an argument. Don’t forget to enter the encryption password when prompted for the first time and confirmation.

[devops@controlnode ~]$ ansible-vault encrypt credential.yml 
New Vault password: 
Confirm New Vault password:
Ansible Vault Encrypt Sting

Decrypting Encrypted File using Ansible vault :

Here, we will learn how to permanently decrypt an existing encrypted file using the ansible-vault decrypt filename command. If you provide the encrypted filename without an additional filename, it will decrypt the same file with the same name. Please refer to the screenshot below.

[devops@controlnode ~]$ ansible-vault decrypt credential.yml 
Vault password: 
Decryption successful
Ansible Vault Decrypt String File

if you need to only string encrypt from the command line outside of the playbook, you can use ansible Vault String command, below is the syntax to encrypt.

ansible-vault encrypt_string <string_to_encrypt> --name <variable_name>

At the end to provide the vault password to the encrypted playbook or encrypted playbook used in the playbook, it will need a vault password, use the –vault-id option. For example to provide the vault password in the command line, use –vault-id @prompt as in the below

[devops@controlnode ~]$  ansible-playbook --vault-id @prompt playbook.yml

Vault password (default ): your vault password 

By Sachin G

I am a professional freelance contributor and founder of tech transit. Love to write and lover of education, culture, and community. I have been using it, setting, supporting, and maintaining it since 2009.Linux rocks! Sachin G Follow me on LinkedIn and x formerly twitter