Ansible Vault

Ansible Vault is a feature of Ansible that allows you to encrypt sensitive data, such as passwords or keys, so that they can be safely kept in source control. It enables secure storage and management of secrets in your automation workflows.

• Encryption: The process of converting plaintext into ciphertext to prevent unauthorized access.
• Decryption: The process of converting ciphertext back into plaintext using a key.
• Vault Password: A password used to encrypt and decrypt the files.
• Vault ID: An identifier for a specific vault password file, allowing multiple vaults with different passwords.

Creating a Vault

ansible-vault create secret.yml

This command will prompt you to enter a password and then open the file in your default editor for you to enter the secret data.

Editing a Vault

ansible-vault edit secret.yml

Use this command to modify the contents of an existing vault file.

Encrypting an Existing File

ansible-vault encrypt myfile.yml

This command will encrypt an existing YAML file.

Decrypting a Vault

ansible-vault decrypt secret.yml

Use this command to decrypt a vault file.

Using Vault in Playbooks

- hosts: all
  tasks:
    - name: Include secrets
      include_vars: secret.yml

• Use Ansible Vault for any sensitive data in your playbooks.
• Store vault passwords securely, such as in a password manager.
• Use vault IDs to manage multiple vaults with different passwords for better organization.
• Regularly rotate your encryption keys and passwords to enhance security.

graph TD;
            A[Create Vault] --> B[Encrypt Data];
            B --> C[Store in SCM];
            C --> D[Use in Playbooks];
            D --> E[Decrypt at Runtime];