Ansible is a fantastic automation and orchestration tool popular among many developers owing to its simplicity and ease of use. One of the most important features that comes with Ansible is the Ansible Vault. As you would guess it by now, Ansible vault is a security feature that is used for encrypting or securing sensitive information in playbooks or files instead of having them in plain text which would pose a significant threat in the event of a breach. Such data includes passwords, API tokens and SSL certificates to mention a few. You can encrypt entire playbook YAML files of a string within the playbook with sensitive information such as a password.
In this guide, we look at various ways that Ansible vault can help you lock down your sensitive or confidential information and keep snoopers at bay.
Create an Encrypted File using Ansible Vault
Ansible vault uses the ansible-vault command line utility tool for encrypting sensitive information using the AES256 algorithm. This provides symmetric encryption which is embedded to a defined password. A user can use the same password to either encrypt or decrypt files in order to access content.
To create an encrypted file, use the ansible-vault utility tool as shown
$ ansible-vault create file.yml
For example, to create a file, call it secret_file.yml, run the command
$ ansible-vault create secret_file.yml
You will be prompted to provide a new vault password. Key in your preferred password and confirm. Once you have confirmed the password , vim editor will be launched.
Thereafter, type the file content that you wish to be encrypted by Ansible vault and save the file. Below is some sample text.
Hello, this is my secret file
When you view the file, you will discover that it has already been encrypted using AES256 algorithm as shown.
$ vim secret_file.yml
Edit an Encrypted File with Ansible Vault
To make changes to an already existing file which is encrypted use the syntax:
$ ansible-vault edit file.yml
From our sample file that we created earlier on, the command for editing the file would be:
$ ansible-vault edit secret_file.yml
Again, you will be prompted for the vault password, and after providing it, you will be granted access to the file to make modifications.
View an Encrypted File
To have a peek at an encrypted file, use the syntax:
$ ansible-vault view file.yml
Using our file, the command will therefore be
$ ansible-vault view secret_file.yml
Encrypt an Existing File using Ansible Vault
Suppose you want to encrypt an already existing file which is unencrypted, say an inventory file. How would you go about it? To achieve this, use the syntax:
$ ansible-vault encrypt file.yml
For example, to encrypt a file file1.yml execute the command:
$ ansible-vault encrypt file1.yml
Specify the vault password and confirm it to encrypt the file.
Decrypt a File using Ansible Vault
To decrypt a file and revert to plain text, run the command:
$ ansible-vault decrypt file1.yml
If all went well, you will get a ‘Decryption successful’ message. You can now use the cat command to view the contents of the file.
Reset Ansible vault Password
Also, you can reset or change the Vault’s password. This is done using the rekey option in the ansible …