Introduction To Ansible Vault

Reading Time: 2 minutes

Hi readers, in this blog we will be discussing Ansible vault. Also, we will be looking at how to encrypt different playbooks and how they can be decrypted.

Introduction

The “Vault” is a feature of Ansible that allows you to keep sensitive data such as passwords or keys protected at rest, rather than as plain text in playbooks or roles. 

Why use Ansible Vault?

Ansible is used for automation, the playbooks contain certain credentials, SSL certificates ,or other sensitive data. Usually, we store our sensitive data in the variable of vault.

How Ansible Vault help us?

It helps us to encrypt or decrypt sensitive variables that contain information and there are 2 ways to take care of sensitive data :

1) encrypt variables and embed them into the playbook.

2) encrypt the entire playbook.

Creating an Encrypted File

To create an encrypted file, use the ansible-vault to create command ,and enter the filename.

When prompted, create a password and then confirm it by re-typing it. 

$ ansible-vault create example.yml 
New Vault password: 
Confirm New Vault password: 

After confirming our password, a new file is created and will open an editing window. By default, the editor for Vault is vi. Also, we can add data, save ,and exit. 

we can see out newly created file

$ cat example.yml 
$ANSIBLE_VAULT;1.1;AES256
39386238346630643735373664346130303866386233366364336633316237393764393465616362
3833626230316537333564623736396231306233343865360a666462303062323663656436343139
38333032333337316165643035633331646134336536656361376437393133383461633039303738
3464326333366564370a333264383039363333643933383038363339313061363236616364353261
3261

Encrypting Unencrypted Files

Suppose we have a file which we wish to encrypt, we can use the ansible-vault encrypt command.

$ ansible-vault encrypt oldfile.yml
New Vault password: 
Confirm New Vault password: 

Then, you will be prompted to insert and confirm the password after then your file is encrypted.

Editing Encrypted Files

If we want to edit our encrypted file, we can edit it using ansible-vault edit command.

$ ansible-vault edit example.yml 
Vault password:

Viewing Encrypted File

If we want to view our encrypted file, we can use the ansible-vault view command.

 ansible-vault view example.yml
Vault password: 
- name: mukesh
  hosts: WORKSPACE
  tasks:
    - name: copying a file.
      copy:
        src: /home/knoldus/example.yml
        dest: /home/

Rekeying Vault Password

Also, we can change the vault password for which we can use the ansible-vault rekey command.

decrypt

We will be prompted with the vault’s current password and then we will add a new password and finally confirming the new password.

Decrypting Encrypted Files

If we want to decrypt an encrypted file, we can use ansible-vault decrypt command. Then, we will be prompted to insert the vault password.

$ ansible-vault decrypt example.yaml 
Vault password: 
Decryption successful

Decrypting Encrypted Files During Runtime

We could use –ask-vault-pass flag to decrypt a file during runtime.

$ ansible-playbook launch.yml --ask-vault-pass

This will decrypt your encrypted files that are encrypted with the same password to execute.

Conclusion

We usually have some configuration data which is by definition sensitive and should not be publicly exposed. Also, We demonstrated how Ansible Vault can encrypt confidential information such that you can keep all of our configuration data in one place without compromising security.

Reference

https://www.edureka.co/blog/ansible-vault-secure-secrets

Leave a Reply