How to use Ansible Vault to encrypt sensitive information, playbook, inventory

Last Updated on February 18, 2023 by cscontents

Introduction to Ansible Vault

Ansible vault is a feature of Ansible which help us to encrypt sensitive information (e.g., credential, key etc.), playbook (YAML file), inventory file etc.

Ansible Vault uses ansible-vault command line tool. We can use this command line tool to encrypt, decrypt files.

Prerequisite of using ansible vault is we need to install ansible on a Linux machine.

Prerequisite

Before going through this article, I assume you are aware of below.

• Basics of Ansible
• Having some hands-on experience in using Ansible

If you want to learn Ansible basics then please check out the below course from KodeKloud which offers one of the best learning material in DevOps world.

Link of Training Course: Ansible for absolute beginners

Note: The above links are affiliate links, if you enroll this course using the above link, then it would help us to get some monetary benefit from KodeKloud. It won’t cost you anything.

Encrypting any key, playbook, inventory file using ansible vault

The basic commands in ansible vault are –

If we run ansible-vault -h command we will get the basic uses of ansible-vault.

Below are the syntax of the commands.

1. ansible-vault create <file name> - this is for creating an encrypted file.
2. ansible-vault decrypt <file name> - this is for decrypting any ansible vault encrypted file.
3. ansible-vault edit <file name> - this is used to edit the encrypted file
4. ansible-vault view <file name> - this is for viewing any encrypted pipeline
5. ansible-vault encrypt <file name> - this is for encrypting any existing file.
6. ansible-vault encrypt_string <string> - this is used to encrypt any string

While encrypting key, secrets, playbook etc. using ansible-vault we need to give a password, and we need to use the same password to decrypt it when it is required.

There are few ways by which we can pass the password.

• Entering vault password manually – here we will run the ansible-vault command, and it will ask for password, and we need to enter password.
• Passing vault password file path with the command – here we will pass the vault password file (vault password file is a file where we keep the vault password)
• Adding vault password file path in /etc/ansible/ansible.cfg file – here we need to add the vault password file path in /etc/ansible/ansible.cfg file and if we add here, we don’t need to pass the password file with the command. It will take the vault password from that file automatically.
• Using environment variable ANSIBLE_VAULT_PASSWORD_FILE – here we need to set the ANSIBLE_VAULT_PASSWORD_FILE environment variable. If we do so, we don’t need to pass the vault password file in command line or in the /etc/ansible/ansible.cfg file.
• Passing “–ask-vault-pass” in the command line – here we need to pass the “–ask-vault-pass” in the command line, and it will ask for the password.

Now, I will explain all the above ways one by one.

Entering vault password manually

For example, I have the below inventory.txt file (which has the details of a remote Windows machine)  in my Linux machine. I will encrypt that using ansible vault.

[remote_server]
109.201.255.199
[remote_server:vars]
ansible_user=your_user
ansible_password=your_password
ansible_port=5985
ansible_connection=winrm
ansible_winrm_transport=ntlm
ansible_winrm_server_cert_validation=ignore

Now to encrypt this inventory.txt file, we need to run the below command.

ansible-vault encrypt inventory.txt

Once we run the above command, it will ask for password, and we have to enter a password. Please keep the password in a safe place, this password will be required when you want to decrypt the file.

ubuntu@ansible-controller:~$ ansible-vault encrypt inventory.txt
New Vault password:
Confirm New Vault password:
Encryption successful

Now if we see the content of this file, by running cat command we will see the content is encrypted.

ubuntu@ansible-controller:~$ cat inventory.txt
$ANSIBLE_VAULT;1.1;AES256
31323237333164646133323266363331366635313832663632343333323530346236316165306437
3234663433626562393431346534303735323532366263350a633665343365663033666233386531
30313366306636666133616437623135326531363363663038663139643465363139666532396332
3433343135373637310a333535316333653938356161393035383331636535633230623531373766
64646164626438656137343665623564326437646562623062336537373861353939636465373838
31323961643833353332363866333063373632666361333333353663336531636334663332366635
32363234316536383338373239643938636263623935316366616234343735313261353638336362
65363163383566346238653334393434306430623533663166313062333564393435653936356665
33343639626566386462363764326265643533623732343031623663366562333638633266323634
61663062366365393531643961623733333461383865663462646533653565313633396561336566
34363265616136353937303265613265306464663265383465626631636363363665303762356130
36656334346130626239356565376335633363353930636435343937373761323431383535666637
31656336323735633338316434663530653463313363636435393732313534393631646430666531
30643635316237663135316131333038343032313631326637306266343066336561383633383061
666337303537663065623461653935373964

Passing vault password file path with the command

I will take the same example which I have taken above. I will encrypt the inventory.txt file and pass the vault password file (it is a simple text file where I have the password) with the command.

ansible-vault encrypt inventory.txt --vault-password-file /home/ubuntu/vault-password.txt

ubuntu@ansible-controller:~$ ansible-vault encrypt inventory.txt --vault-password-file /home/ubuntu/vault-password.txt
Encryption successful

Similarly, if we want to decrypt the inventory.txt file we need to run the below command.

ansible-vault decrypt inventory.txt --vault-password-file /home/ubuntu/vault-password.txt

ubuntu@ansible-controller:~$ ansible-vault decrypt inventory.txt --vault-password-file /home/ubuntu/vault-password.txt
Decryption successful

Adding vault password file path in /etc/ansible/ansible.cfg file

Vault password file path can be permanently set in the /etc/ansible/ansible.cfg file. Once it is set, we don’t need to pass the vault password file in the command line.

ubuntu@ansible-controller:~$ ansible-vault encrypt inventory.txt
Encryption successful

Using environment variable ANSIBLE_VAULT_PASSWORD_FILE

Here we will set the ANSIBLE_VAULT_PASSWORD_FILE environment variable.

ubuntu@ansible-controller:~$ echo $ANSIBLE_VAULT_PASSWORD_FILE
/home/ubuntu/vault-password.txt
ubuntu@ansible-controller:~$ ansible-vault encrypt inventory.txt
Encryption successful

Passing “–ask-vault-pass” in the command line

Here we need to pass “–ask-vault-pass” in the ansible-vault command line.

ubuntu@ansible-controller:~$ ansible-vault encrypt inventory.txt --ask-vault-pass
New Vault password:
Confirm New Vault password:
Encryption successful

Encrypting any specific key or string using ansible vault

Using ansible vault we can also encrypt any specific string or key.

For example, in an ansible playbook you need to pass a password, but you don’t want to put the password as plaint text. In that case you can encrypt that specific password using ansible vault and pass the encrypted content in the playbook.

- name: Test user create task
  hosts: remote_server
  become: true
  vars:
    user-password: my_password
  tasks:
    - name: create testansible group
      group:
        name: testansible
        state: present

    - name: create testansible user
      user:
        name: testansible
        group: testansible
        password: "{{ user-password | string | password_hash ('sha512') }}"
        home: "/home/testansible"

Now, in the above playbook we have “my_password” as plain text, which is not a good practice due to security reason.

To avoid that we can encrypt “my_password” and put it in the playbook.

ubuntu@ansible-controller:~$ ansible-vault encrypt_string my_password
!vault |
$ANSIBLE_VAULT;1.1;AES256
30623864643664336561326433666163656566326265393561616331343636613930623936633930
6138333232323962333235636265383361636532323037370a383030666162383038666565663632
39313137376136313932366630383835373936306239653532396536343538366139303731393938
6230396466316366380a316230356166336166373064626265336463646438353031373538623234
6234
Encryption successful

The encrypted version of “my_password” is shown in the output. Now, we will put this encrypted version in the playbook.

So, this is how we can encrypt any specific string or key or sensitive information using ansible vault and use it in a playbook.

Thank you.

If you are interested in learning DevOps, please have a look at the below articles, which will help you greatly.

• Kubernetes Series: Part 1 – Introduction to Kubernetes | Background of Kubernetes
• Kubernetes Series: Part 2 – Components of Kubernetes cluster | Kubernetes cluster in detail
• Kubernetes Series: Part 3 – What is Minikube and How to create a Kubernetes cluster (on Linux) using Minikube?
• Introduction to Ansible | High Level Understanding of Ansible
• Basics of automation using Ansible | Automate any task
• 10 frequently used ansible modules with example
• Jenkins Pipeline as code – High level information
• What is End-to-End Monitoring of any web application and Why do we need it?
• What is “Monitoring” in DevOps? Why do we need to Monitor App/DB servers, Transactions etc.?
• DevOps Engineer or Software Developer Engineer which is better for you?- Let’s discuss
• How To Be A Good DevOps Engineer?
• Network Connectivity Troubleshooting Guide for Beginners
• How to do git push, git pull, git add, git commit etc. with Bitbucket