A brief introduction to Ansible Vault

Ansible is a configuration management tool. While working with Ansible, you can create various playbooks, inventory files, variable files, etc. Some of the files contain sensitive and important data like usernames and passwords. Ansible provides a feature named Ansible Vault that prevents this data from being exposed. It keeps passwords and other sensitive data in an encrypted file rather than in plain text files. It provides password-based authentication.

[ Editor Note: Ansible Vault is one tool that one might use, but not necessarily what most sysadmins run in production. Red Hat Ansible Automation Platform is enterprise-grade and it can also work with existing tools that most enterprises have. ]

[ You might also enjoy: Handling secrets in your Ansible playbooks ]

Ansible Vault performs various operations. Specifically, it can

• Encrypt a file
• Decrypt a file
• View an encrypted file without breaking the encryption
• Edit an encrypted file
• Create an encrypted file
• Generate or reset the encrypted key

Create an encrypted file

The ansible-vault create command is used to create the encrypted file.

# ansible-vault create vault.yml

After typing this command, it will ask for a password and then ask where to put your content. To check that the file has been encrypted, use the cat command.

The following command is used to create encrypted files with --vault id.

# ansible-vault create --vault-id password@prompt vault.yml 

Editing the encrypted file

If the file is encrypted and changes are required, use the edit command.

# ansible-vault edit secure.yml

Decrypting a file

The ansible-vault decrypt command is used to decrypt the encrypted file.

# ansible-vault decrypt secure.yml

Decrypt a running playbook

To decrypt the playbook while it is running, you usually ask for its password.

# ansible-playbook --ask-vault-pass email.yml

Reset the file password

Use the ansible-vault rekey command to reset the encrypted file password.

Here is the email.yml file contents:

---
- hosts: localhost
  vars_files: secret.yml
  tasks:
  - name: Sending an email using Ansible
    mail:
      host: smtp.gmail.com
      port: 587
      username: 500069614@stu.upes.ac.in
      password: "{{ p }}"
      to: mrsarthak001@gmail.com
      subject: Email By Ansible
      body: Test successful
      delegate_to: localhost

[ Need more on Ansible? Take a free technical overview course from Red Hat. Ansible Essentials: Simplicity in Automation Technical Overview. ] 

Wrap up

In this article, you learned about Ansible Vault, which is an Ansible feature that helps you encrypt confidential information in a file without compromising security. You also learned about decrypting files, editing encrypted files, and resetting Ansible Vault passwords. This feature is especially useful if you have some confidential data that you want to secure and prevent from being publicly exposed.

Remember that Ansible Vault is generally viewed as a tool for junior-level sysadmins and is not considered to be enterprise-grade. For an enterprise solution, refer to Red Hat Ansible Automation Platform.