Skip to main content

A brief introduction to Ansible Vault

Ansible Vault is an Ansible feature that helps you encrypt confidential information without compromising security.
A brief introduction to Ansible Vault
Image by Rick Bella from Pixabay

Ansible is a configuration management tool. While working with Ansible, you can create various playbooks, inventory files, variable files, etc. Some of the files contain sensitive and important data like usernames and passwords. Ansible provides a feature named Ansible Vault that prevents this data from being exposed. It keeps passwords and other sensitive data in an encrypted file rather than in plain text files. It provides password-based authentication.

[ Editor Note: Ansible Vault is one tool that one might use, but not necessarily what most sysadmins run in production. Red Hat Ansible Automation Platform is enterprise-grade and it can also work with existing tools that most enterprises have. ]

[ You might also enjoy: Handling secrets in your Ansible playbooks ]

Ansible Vault performs various operations. Specifically, it can

  • Encrypt a file
  • Decrypt a file
  • View an encrypted file without breaking the encryption
  • Edit an encrypted file
  • Create an encrypted file
  • Generate or reset the encrypted key

Create an encrypted file

The ansible-vault create command is used to create the encrypted file.

# ansible-vault create vault.yml

After typing this command, it will ask for a password and then ask where to put your content. To check that the file has been encrypted, use the cat command.

Create Vault

The following command is used to create encrypted files with --vault id.

# ansible-vault create --vault-id password@prompt vault.yml 
ID Create Vault

Editing the encrypted file

If the file is encrypted and changes are required, use the edit command.

# ansible-vault edit secure.yml


Editing the file

Decrypting a file

The ansible-vault decrypt command is used to decrypt the encrypted file.

# ansible-vault decrypt secure.yml

Decrypt a running playbook

To decrypt the playbook while it is running, you usually ask for its password.

# ansible-playbook --ask-vault-pass email.yml
Decrypt running playbook

Reset the file password

Use the ansible-vault rekey command to reset the encrypted file password.



Here is the email.yml file contents:

- hosts: localhost
  vars_files: secret.yml
  - name: Sending an email using Ansible
      port: 587
      password: "{{ p }}"
      subject: Email By Ansible
      body: Test successful
      delegate_to: localhost

[ Need more on Ansible? Take a free technical overview course from Red Hat. Ansible Essentials: Simplicity in Automation Technical Overview.

Wrap up

In this article, you learned about Ansible Vault, which is an Ansible feature that helps you encrypt confidential information in a file without compromising security. You also learned about decrypting files, editing encrypted files, and resetting Ansible Vault passwords. This feature is especially useful if you have some confidential data that you want to secure and prevent from being publicly exposed.

Remember that Ansible Vault is generally viewed as a tool for junior-level sysadmins and is not considered to be enterprise-grade. For an enterprise solution, refer to Red Hat Ansible Automation Platform.

Ansible Galaxy is a repository for Ansible Roles that are available to drop directly into your Playbooks to streamline your automation projects.
Topics:   Linux   Linux administration   Ansible  
Author’s photo

Sarthak Jain

Sarthak Jain is a Pre-Final Year Computer Science undergraduate from the University of Petroleum and Energy Studies (UPES). He is a cloud and DevOps enthusiast, knowing various tools and methodologies of DevOps. More about me

Try Red Hat Enterprise Linux

Download it at no charge from the Red Hat Developer program.