top of page

Ansible Vault



Ansible Vault is a feature that allows keeping secrete data like Server Password & private key in encrypted files, rather than as plain-text in playbooks or roles.


Encrypting an existing playbook file


So In this example we are going to see how we can encrypt plain-text formatted playbook So that sensitive data can be encrypted using password for decryption.


This will prompt you for password twice. Once it is done your playbook file will be encrypted.


[root@tecgeek ~]# ansible-vault encrypt /home/siddhesh/baseline/defaults/main.yml

> New Vault password: ********

> Confirm New Vault password: ********

> Encryption successful

[root@tecgeek ~]#


If you try to open this file in directly in any editor, then you can see something like this....


[root@tecgeek ~]# vim /home/siddhesh/baseline/defaults/main.yml

$ANSIBLE_VAULT;1.1;AES256

653121333336373166363164613430656333232366533386464333438383734373734322134464616339

3333383233373465353131323237632323263361316431380a643336643862663739623631616530

3535636162643465306631666137386332362396162646365343166646231653165303431636139

62303615664363138340a356631633930323032653466626531383261613539633365366631623238

32396635353866633135363231346664303730353230623439633666386662346432363164393438

3365366623530643262524233373337383934316335303862313838383966623134646230346330303136

6633323236306230383733353355313038623832316562363234622339383538343437663437373730

35666532335094439

[root@tecgeek ~]#



Creating an encrypted new playbook file


To create a new encrypted file you can use the create command.


[root@tecgeek ~]# ansible-vault create /home/siddhesh/baseline/defaults/tecgeek.yml

> New Vault password: ********

> Confirm New Vault password: ********

[root@tecgeek ~]#



Editing already encrypted playbook file


To edit already encrypted playbook file you can use the edit command.


[root@tecgeek ~]# ansible-vault edit /home/siddhesh/baseline/defaults/tecgeek.yml

> Vault password: ********

[root@tecgeek ~]#


Decrypting an encrypted playbook file.


You can decrypt a file to get it back to plaintext using decrypt command.


[root@tecgeek ~]# ansible-vault decrypt /home/siddhesh/baseline/defaults/tecgeek.yml

> Vault password: ********

[root@tecgeek ~]#




bottom of page