Hi readers, in this blog we will be discussing Ansible vault. Also, we will be looking at how to encrypt different playbooks and how they can be decrypted.
The “Vault” is a feature of Ansible that allows you to keep sensitive data such as passwords or keys protected at rest, rather than as plain text in playbooks or roles.
Why use Ansible Vault?
Ansible is used for automation, the playbooks contain certain credentials, SSL certificates ,or other sensitive data. Usually, we store our sensitive data in the variable of vault.
How Ansible Vault help us?
It helps us to encrypt or decrypt sensitive variables that contain information and there are 2 ways to take care of sensitive data :
1) encrypt variables and embed them into the playbook.
2) encrypt the entire playbook.
Creating an Encrypted File
To create an encrypted file, use the ansible-vault to create command ,and enter the filename.
When prompted, create a password and then confirm it by re-typing it.
$ ansible-vault create example.yml New Vault password: Confirm New Vault password:
After confirming our password, a new file is created and will open an editing window. By default, the editor for Vault is vi. Also, we can add data, save ,and exit.
we can see out newly created file
$ cat example.yml $ANSIBLE_VAULT;1.1;AES256 39386238346630643735373664346130303866386233366364336633316237393764393465616362 3833626230316537333564623736396231306233343865360a666462303062323663656436343139 38333032333337316165643035633331646134336536656361376437393133383461633039303738 3464326333366564370a333264383039363333643933383038363339313061363236616364353261 3261
Encrypting Unencrypted Files
Suppose we have a file which we wish to encrypt, we can use the ansible-vault encrypt command.
$ ansible-vault encrypt oldfile.yml New Vault password: Confirm New Vault password:
Then, you will be prompted to insert and confirm the password after then your file is encrypted.
Editing Encrypted Files
If we want to edit our encrypted file, we can edit it using ansible-vault edit command.
$ ansible-vault edit example.yml Vault password:
Viewing Encrypted File
If we want to view our encrypted file, we can use the ansible-vault view command.
ansible-vault view example.yml Vault password: - name: mukesh hosts: WORKSPACE tasks: - name: copying a file. copy: src: /home/knoldus/example.yml dest: /home/
Rekeying Vault Password
Also, we can change the vault password for which we can use the ansible-vault rekey command.
We will be prompted with the vault’s current password and then we will add a new password and finally confirming the new password.
Decrypting Encrypted Files
If we want to decrypt an encrypted file, we can use ansible-vault decrypt command. Then, we will be prompted to insert the vault password.
$ ansible-vault decrypt example.yaml Vault password: Decryption successful
Decrypting Encrypted Files During Runtime
We could use –ask-vault-pass flag to decrypt a file during runtime.
$ ansible-playbook launch.yml --ask-vault-pass
This will decrypt your encrypted files that are encrypted with the same password to execute.
We usually have some configuration data which is by definition sensitive and should not be publicly exposed. Also, We demonstrated how Ansible Vault can encrypt confidential information such that you can keep all of our configuration data in one place without compromising security.