How do I encrypt sensitive data with Ansible Vault?, How to secure Ansible Playbooks with Vault?, How to use Ansible Vault on my projects?. This guide has been done as a reference guide/cheat sheet for Ansible enthusiasts using Vault to ensure data is encrypted and secured when working on Ansible Projects.

Ansible has proven to be the most used and Loved configuration management tool for Developers and SysAdmins of all classes. With more adoption arises security concerns. To keep your sensitive information such as passwords or private keys safe you need Vault. The vault-encrypted data is automatically decrypted at runtime.

Ansible is a requirement for this guide. Ensure Ansible is installed on your system, which provides ansible-vault command-line tool that we’ll use in this entire guide. Before you get started, set a default editor for Ansible Vault.

--- For Bash ---
$ echo "export EDITOR=vim" >> ~/.bashrc
$ source ~/.bashrc

--- For Zsh ---
$ echo "export EDITOR=vim" >> ~/.zshrc
$ source ~/.zshrc

Replace vim with your favorite editor.

Step 1: Install Ansible / Ansible Vault

The easiest way to Install Ansible on Linux and most Unix systems is via Ansible package manager – pip.

Install pip:

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python get-pip.py --user

Once pip has been installed, use it to install Ansible.

pip install --user ansible

Step 2: Using Ansible Vault

In this section, we’ll see many examples on how to use Ansible Vault. The ansible-vault command is used to manage encrypted content within Ansible. With it you create, edit, view and decrypt encrypted files.

Example 1: Create a new encrypted file

To create a new file that’s encrypted with Vault, use the create option and append the name of the file. For example, to create an encrypted YAML file called create_users.yml which will contain sensitive data, run:

$ ansible-vault create create_users.yml

You will be prompted to enter and confirm secure password:

New Vault password: 
Confirm New Vault password:

Ansible will then open an editing window for you to input your desired contents.

Example 2: Encrypt existing file

For existing files, use the ansible-vault encrypt command to set password.

$ echo "SecurePassword" > passwords.txt
$ ansible-vault encrypt passwords.txt
New Vault password: 
Confirm New Vault password: 
Encryption successful

This will replace the unencrypted file with encrypted one.

$ cat passwords.txt
$ANSIBLE_VAULT;1.1;AES256
30653331363933343563396461623132623437636232373462646538333736666531333732353033
3134666133626361623330376534336632633462643233650a386137626561663938313463396236
63376166313530636461306636623638623835666263326431646333663665313563373766643039
6337393539396562360a643237346262353461303738663134383739366532613538653635383466
3634

Example 3: Edit encrypted file

To edit an encrypted file, use the command ansible-vault edit command.

$ ansible-vault edit passwords.yml

This will ask you to input file password.

Vault password:

Example 4: Update encryption password

You can always update encryption password by using the ansible-vault rekey command.

$ ansible-vault rekey create_users.yml
Vault password: 
New Vault password: 
Confirm New Vault password: 
Rekey successful

Input the old password and new one to set when prompted. Once updated, the file will be accessible using the new password.

Example 5: View Ansible encrypted file

You can view the contents of vault-encrypted file without opening window editor. For this you’ll use the command ansible-vault view .

$ ansible-vault view create_users.yml

You should be asked to input file password before contents can be displayed.

Vault password:
Secret information

Example 6: Decrypt Vault Encrypted Files

If you no longer need encryption, you can decrypt a vault encrypted file using the ansible-vault decrypt command.

$ ansible-vault decrypt myfile.yml

Provide encryption password for the file.

Vault password:
Decryption successful

You will be able to see the actual contents of the file after decryption.

Example 7: Execute Ansible with Vault-Encrypted Files

Once you encrypt your sensitive data, you obviously want to run an Ansible playbook which references encrypted data in some way. The ansible and ansible-playbook commands can decrypt vault-protected files if the correct password is provided.

Using password prompt

For playbook execution, pass the --ask-vault-pass flag.

$ ansible-playbook --ask-vault-pass <vault-encrypted-playbook-file>.yaml

For Ansible greater or equals to 2.4, you can use –vault-id @prompt flag.

See example below.

$ ansible-playbook --ask-vault-pass -i hosts osp-pre.yml 
Vault password: 

PLAY [Run presetup on OSP nodes] ******************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************
...................................................................................

or

$ ansible-playbook -i hosts osp-pre.yml --vault-id @prompt
Vault password (default): 

Using Password file

If you want to avoid interactive password prompt during playbook execution, then consider using Ansible Vault with a Password File.

Create password file.

$ echo 'MyStrongVaulPassword' > .ansible_vault_pass

For guys using Version Control systems such as git, consider adding the .ansible_vault_pass file to list of ignored files.

$ echo '.ansible_vault_pass' >> .gitignore

Now reference password file when running ansible or ansible-playbook command.

$ ansible --vault-password-file=.ansible_vault_pass ...
$ ansible-playbook --vault-password-file=.ansible_vault_pass ....

Example:

$ ansible-playbook --vault-password-file=.ansible_vault_pass -i hosts osp-pre.yml 

PLAY [Run presetup on OSP nodes] ******************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************

As seen above, there is no prompt to input password file.

Set ANSIBLE_VAULT_PASSWORD_FILE Environment variable

If you don’t like providing password flag or using interactive password prompt, you can configure Ansible to read the Password file automatically. This is achieved by setting the ANSIBLE_VAULT_PASSWORD_FILE environment variable with the path to the password file:

export ANSIBLE_VAULT_PASSWORD_FILE=./.ansible_vault_pass

To persist the configuration, set it in your local ansible.cfg file.

$ vim ansible.cfg

[defaults]
........
vault_password_file = ./.ansible_vault_pass

Ansible will use the configure password for all encrypt and create operations.

Example 8: Encrypt only sensitive variables

In ideal automation world with collaboration, you’ll only want to encrypt sensitive data such as Database passwords, API keys, user credentials e.t.c.

Create encrypted variables file.

$ vim vars/vault.yml
vault_db_pass: MyStrongPassword

$ ansible-vault encrypt vars/vault.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful

Confirm it is encrypted.

$ cat vars/vault.yml 
$ANSIBLE_VAULT;1.1;AES256
62383961353832333263356333356465633635633731393039303834623832626162613235343930
6238663730366237616639326233393361626639616136300a393665326434633438613436316630
61656261616132366436646434393833613064326531346631666630616535663535353038666135
3732333338313739340a656434633336666662393161393663303662616264643364313630383163
30643763323038396161316339663037353632626462626233363836346461656238393035623533
6531353930326133656165326130303661303965316464306330

We will then define other unencrypted Variables and reference encrypted in Vault Variables.

$ vim vars/plain.yml
db_user: computingforgeeks
db_port: 3306
db_pass: "{{ vault_db_pass }}"

Note that we used Jinja2 templating to reference the variable defined in the vault-protected file.

Create Playbook file.

 $ vim vault.yml 
---
- name: Create users
  hosts: localhost
  tasks:
    - name: Include vars
      include_vars:
        dir: vars

    - name: Generate dummy variables data
      blockinfile:
        path: /tmp/vault
        block:
            Database user: "{{ db_user }}"
            Database Port: "{{ db_port }}"
            Database Password: "{{ db_pass }}"

Run playbook:

$ ansible-playbook --connection=local vault.yml --ask-vault-pass

Vault password: 

PLAY [Create users] *******************************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************************
ok: [localhost]

TASK [Include vars] *******************************************************************************************************************************
ok: [localhost]

TASK [Generate dummy variables data] **************************************************************************************************************
changed: [localhost]

PLAY RECAP ****************************************************************************************************************************************
localhost                  : ok=3    changed=1    unreachable=0    failed=0   

Let’s check the contents of created file.

$ cat /tmp/vault

# BEGIN ANSIBLE MANAGED BLOCK
Database user: "computingforgeeks"
Database Port: "3306"
Database Password: "MyStrongPassword"
# END ANSIBLE MANAGED BLOCK

Conclusion

In this guide, we demonstrated how you can use Ansible Vault to encrypt sensitive variables and data so you can safely share your projects without compromising security.

More on Ansible:

How to automate simple repetitive tasks using Ansible

How To Install speedtest-cli on Ubuntu / CentOS / Debian using Ansible

Best Books To learn Docker and Ansible Automation

Build AWS EC2 Machine Images (AMI) With Packer and Ansible

Semaphore – Manage Ansible Tasks from A Web UI