Ansible automation is sometimes needed to store some sensitive information such as user credentials, security, or API keys to configure managed hosts, keeping these passwords or other sensitive information in plain text files is a disaster if it can go into the wrong hands. This poses an obvious security risk. But we have an Ansible vault, which comes with Ansible, which can encrypt and decrypt your data. This article will help you know how Ansible Vault encrypts and decrypts strings or information in inventory, playbook as a variable, or in text file as well.
We can encrypt and decrypt variables in inventory and playbook variable files password as a command line argument or defined in ansible roles as well.
Encrypting Strings with Ansible Vault
Encrypting string through Ansible Vault is a simple process but we have two scenarios: You already have a variable file or a string file that you want to encrypt or You have to create from starting and insert a variable and encrypt it. First, we will look at creating variable files from starting.
1. Encrypted through Create a Vault File
ansible-vault create filename command will create a new encrypted file, when we run this command then it prompts us to set the password and it opens like in the vi editor.
[devops@controlnode ~]$ ansible-vault create credentials.yml
New Vault password: complex_password
Confirm New Vault password: complex_password
In the editor, insert your variable or sensitive information into the file, and save the changes to the Vault file. Below is a screenshot showing an example of creating an encrypted file using Ansible Vault. By using the ansible-vault view command, you can see the encrypted variable. Don’t forget to provide the encryption password when prompted.
2. Existing File Encrypting
Generally, we already have a variable file or an existing file that we want to encrypt to protect sensitive information. The command below can be used to encrypt the file by providing its name as an argument. Don’t forget to enter the encryption password when prompted for the first time and confirmation.
[devops@controlnode ~]$ ansible-vault encrypt credential.yml
New Vault password:
Confirm New Vault password:
Decrypting Encrypted File using Ansible vault :
Here, we will learn how to permanently decrypt an existing encrypted file using the ansible-vault decrypt filename command. If you provide the encrypted filename without an additional filename, it will decrypt the same file with the same name. Please refer to the screenshot below.
[devops@controlnode ~]$ ansible-vault decrypt credential.yml
Vault password:
Decryption successful
if you need to only string encrypt from the command line outside of the playbook, you can use ansible Vault String command, below is the syntax to encrypt.
ansible-vault encrypt_string <string_to_encrypt> --name <variable_name>
At the end to provide the vault password to the encrypted playbook or encrypted playbook used in the playbook, it will need a vault password, use the –vault-id option. For example to provide the vault password in the command line, use –vault-id @prompt as in the below example.com:
[devops@controlnode ~]$ ansible-playbook --vault-id @prompt playbook.yml
Vault password (default ): your vault password