All About Ansible Vault
This blog is about using ansible vault. Vault is a way to encrypt subtle information in Ansible scripts.
A distinctive Ansible setup comprises some sort of secret to fully setup a server or application. The common types of “secret” include passwords, SSH keys, SSL certificates, API tokens and whatever which the user do not want the public to see.
Since it is common to store Ansible configurations in version control, we need a way to store confidential data securely.
Ansible Vault is the answer to this. Ansible Vault can encrypt anything inside of a YAML file, using a password of the user choice.
USING ANSIBLE VAULT
A classic use of Ansible Vault is to encrypt variable files. Vault can encrypt any YAML file, but the most common files to encrypt are:
* Files within the group_vars directory
* A role’s defaults/main.yml file
* A role’s vars/main.yml file
* Any other file used to store variables.
ENCRYPTING AN EXISTING FILE
The characteristic use case is to have a normal, plaintext variable file to encrypt. Using ansible-vault, we can encrypt and define the password needed to decrypt later:
# Encrypt a role’s defaults/main.yml file ansible-vault encrypt defaults/main.yml > New Vault password: > Confirm New Vault password: > Encryption successful
The ansible-vault command will request the user for a password twice. Once that is done, the file will be encrypted. If the user edits the file directly, the user will just see encrypted text. It will be something like this:
$ANSIBLE_VAULT;1.1;AES256
65326233363731663631646134306563353236653338646433343838373437373430376464616339 3333383233373465353131323237636538363361316431380a643336643862663739623631616530 35356361626434653066316661373863313362396162646365343166646231653165303431636139 6230366164363138340a356631633930323032653466626531383261613539633365366631623238 32396637623866633135363231346664303730353230623439633666386662346432363164393438
CREATING AN ENCRYPTED FILE
If the user wants to create a new file instead of encrypting an existing one, the user can use the create command:
ansible-vault create defaults/extra.yml > New Vault password: > Confirm New Vault password:
EDITING A FILE
Once the user encrypts a file, the user can only edit the file by using ansible-vault. Here is how to edit the file after it is been encrypted:
ansible-vault edit defaults/main.yml > Vault password:
This will ask for the password used to encrypt the file.
You’ll lose your data if you lose your password!
ENCRYPTING SPECIFIC VARIABLES
The user does not have to encrypt a whole file! The user can track the changes in git, where the user will not have an entire file changing for just a small change.
The most basic use case is, to run it interactively on the CLI to get the formatted YAML as output:
ansible-vault encrypt_string > New Vault password: > Confirm New Vault password: > Reading plaintext input from stdin. (ctrl-d to end input) > this is a plaintext string > !vault | > $ANSIBLE_VAULT;1.1;AES256 >
39393766663761653337386436636466396531353261383237613531356531343930663133623839
>
3436613834303264613038623432303837393261663233640a363633343337623065613166306363
>
37336132363462386138343535346264333061656134636631326164643035313433393831616131
>
3635613565373939310a316132313764356432333366396533663965333162336538663432323334
> 33656365303733303664353961363563313236396262313739343461383036333561 >
Encryption successful