Table of Contents
In this article, i will take you through 15 ansible-vault command examples to encrypt and decrypt sensitive data/files on Linux. Vault is a special feature in Ansible implemented using ansible-vault tool to encrypt all the sensitive information like password, variable, data and any other information you want to protect. This tool is frequently used to protect Ansible Playbook files and data. It used 256 bit AES algorithm to encrypt the data. There are various options that you can use with ansible-vault tool to apply the encryption/decryption which you will see in great detail in below given examples.
SYNOPSIS
usage: ansible-vault [-h] [--version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
ansible-vault command examples to encrypt and decrypt sensitive data/files on Linux
Also Read: 25 Simple and Easy Crontab Command Examples to Schedule Cron Jobs on Linux
Example 1: How to Install ansible-vault on Linux
Before using ansible-vault tool, you need to first install it in your Server. Depending on Linux version, you need to use different method to install as shown below.
On RHEL/CentOS 7
[root@localhost ~]# yum install ansible -y
On RHEL/CentOS 8
[root@localhost ~]# dnf install ansible -y
On Ubuntu 20.04
[root@localhost ~]# apt install ansible -y
NOTE:
root
user to run all the below commands. You can use any user with sudo
access to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide sudo
access to the User.Example 2: How to check the version of ansible-vault command on Linux
If you want to check the ansible-vault command version then you need to use ansible-vault --version
command as shown below. As shown below, current ansible-vault version is 2.9.10
.
[root@localhost ~]# ansible-vault --version ansible-vault 2.9.10 config file = /etc/ansible/ansible.cfg configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible-vault python version = 2.7.5 (default, Apr 2 2020, 13:16:51) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Example 3: How to Create an Encrypted File Using ansible-vault command
If you want to encrypt a file then you need to use below ansible-vault command. In this example, we are encrypting secrets.yml file using ansible-vault create secrets.yml command as shown below. Here it will ask for a new vault password to encrypt the file. This password will be later used to decrypt the file as well hence it is important to remember this password.
[root@localhost ~]# ansible-vault create secrets.yml New Vault password: Confirm New Vault password:
create: create and open a file in an editor that will be encrypted with the provided vault secret when closed. More on ansible-vault command Man Page.
Example 4: How to View an Encrypted File in Ansible using ansible-vault
If you want to view the contents of an encrypted file then you need to use below ansible-vault command. In this example, we are viewing the contents of secrets.yml file using ansible-vault view secrets.yml
command. It will ask you to provide the Vault password which you have set during the time of file encryption.
[root@localhost ~]# ansible-vault view secrets.yml Vault password: Hi, This is my secret
view: open, decrypt and view an existing vaulted file using a pager using the supplied vault secret. More on ansible-vault command Man Page.
Example 5: How to Encrypt a Text File in Ansible using ansible-vault command
Let's say I have a text file file.txt
which has a single line of content "This is from CyberITHub"
as shown below.
[root@localhost ~]# cat file.txt This is from CyberITHub
Now I need to encrypt this file using ansible-vault command. This can be easily done by running ansible-vault encrypt file.txt
command as shown below.
[root@localhost ~]# ansible-vault encrypt file.txt New Vault password: Confirm New Vault password: Encryption successful
encrypt: encrypt the supplied file using the provided vault secret. More on ansible-vault Man Page.
If you again check the contents of file.txt
after encryption then you will see the content in the encrypted form as shown below.
[root@localhost ~]# cat file.txt $ANSIBLE_VAULT;1.1;AES256 39316231356664613363333761366238386633323462633539313335313337613836653037303263 6463343230313364333130636639343862333032306465300a313664353036303234363831363233 65323664396164646163643862373165663339636163346561656232623231633132663132346565 3031633239336533300a303832653638346130353834376131313162356265666436306639643738 66306134313335366466313437386463626538373363383738623938656162663731
As you can see from above output vault version that supports the vault ID is 1.1
and the algorithm used for encryption is 256 bits AES Cipher represented by AES256
. It is known to be the strongest algorithm currently in use to secure the sensitive files and data.
Example 6: How to Decrypt an encrypted File in Ansible Using ansible-vault
Similarly, if you want to decrypt an encrypted file using ansible-vault command then you perform that activity as well. Below is our encrypted file which needs to be decrypted.
[root@localhost ~]# cat file.txt $ANSIBLE_VAULT;1.1;AES256 39316231356664613363333761366238386633323462633539313335313337613836653037303263 6463343230313364333130636639343862333032306465300a313664353036303234363831363233 65323664396164646163643862373165663339636163346561656232623231633132663132346565 3031633239336533300a303832653638346130353834376131313162356265666436306639643738 66306134313335366466313437386463626538373363383738623938656162663731
So to decrypt the file you need to use ansible-vault decrypt file.txt
command as shown below.
[root@localhost ~]# ansible-vault decrypt file.txt Vault password: Decryption successful
decrypt: decrypt the supplied file using the provided vault secret. More on ansible-vault Man Page.
If you check the content of file.txt
file again then you can see it is now decrypted to plain text as shown below.
[root@localhost ~]# cat file.txt This is from CyberITHub
Example 7: How to Encrypt a Playbook File in Ansible using ansible-vault command
You can also use ansible-vault to encrypt the playbook file as shown below. We have sample playbook.yml
file here.
[root@localhost ~]# cat playbook.yml --- - name: Update NTP Packages hosts: App Servers remote_user: root tasks: - name: Update NTP Version to Latest Version yum: name: ntpd state: latest - name: Provide NTP Configuration template: src: /var/ntp.detail dest: /etc/ntpd.conf
Here we are encrypting the playbook.yml file using ansible-vault encrypt playbook.yml
command as shown below.
[root@localhost ~]# ansible-vault encrypt playbook.yml New Vault password: Confirm New Vault password: Encryption successful
Once it is encrypted, you can check the contents of playbook.yml file using cat playbook.yml command. You can see from the output that entire content is now encrypted.
[root@localhost ~]# cat playbook.yml $ANSIBLE_VAULT;1.1;AES256 63663861323831313730336337386530616538653337356435386638386231383232346433386539 6463343466313861336435353439303665363335343563620a353166646333363562346630383236 66323531366639656166613264316663333763356636653438613033303165636662636661393332 3830306161306135320a363438383631323732666462386432373063333631643065313039363966 65353539306439303934643832306662396335303937626561393763336462386533666264636663 66653630363839323338343462306338346134386538383464303462663438653833323534633965 63643839393765356438396131353366316638636363356130663939383366626564363233306232 61366331306261343236653164396530663366306663356665346433343431363464306230383066 34333361653161386462653335623335623762386632316335666661343061363532396239613936 34633532353138383565333230633935633930303932316566666165373931633961373763306162 39386435333437373338366131373438643237356566633531616465653433383065313633663039 30333632353165343337623537366431303937313137663836653165376234356462323561316665 65626130613539376136653361333333336232376239633165363163613231306134656332663963 30353439303134386330383635303938336637383336303439326435363635323732393939326232 64656630326131363764396636613139356436643731666666613964663032323163343035626262 31356539323366306563306637626363303739373831363237323836396631353733646365393163 34643434663235313565333839666336653763363965316535333332333164353463626562656266 6566373930623836633364616234626461313236663139356166
ansible-vault tool provides multiple options with encryption feature. One of the option is --ask-vault-pass
option which will prompt for the vault password to set for encryption. By default also you will get the password prompt.
[root@localhost ~]# ansible-vault encrypt playbook.yml --ask-vault-pass New Vault password: Confirm New Vault password: Encryption successful
Another useful option you can use is --vault-id
to provide a valid identity during encryption.
[root@localhost ~]# ansible-vault encrypt --vault-id file@prompt playbook.yml New vault password (file): Confirm new vault password (file): Encryption successful
If you want to provide vault password through a file instead of giving through prompt then you need to use --vault-password-file
option as shown below.
[root@localhost ~]# ansible-vault encrypt --vault-password-file pass.txt playbook.yml Encryption successful
Example 8: How to decrypt a Playbook File Using ansible-vault
If you want to decrypt the previous example file at the destination server then you can do that by using same ansible-vault command line tool. As you can see currently playbook.yml
file is currently in encrypted form.
[root@localhost ~]# cat playbook.yml $ANSIBLE_VAULT;1.1;AES256 63663861323831313730336337386530616538653337356435386638386231383232346433386539 6463343466313861336435353439303665363335343563620a353166646333363562346630383236 66323531366639656166613264316663333763356636653438613033303165636662636661393332 3830306161306135320a363438383631323732666462386432373063333631643065313039363966 65353539306439303934643832306662396335303937626561393763336462386533666264636663 66653630363839323338343462306338346134386538383464303462663438653833323534633965 63643839393765356438396131353366316638636363356130663939383366626564363233306232 61366331306261343236653164396530663366306663356665346433343431363464306230383066 34333361653161386462653335623335623762386632316335666661343061363532396239613936 34633532353138383565333230633935633930303932316566666165373931633961373763306162 39386435333437373338366131373438643237356566633531616465653433383065313633663039 30333632353165343337623537366431303937313137663836653165376234356462323561316665 65626130613539376136653361333333336232376239633165363163613231306134656332663963 30353439303134386330383635303938336637383336303439326435363635323732393939326232 64656630326131363764396636613139356436643731666666613964663032323163343035626262 31356539323366306563306637626363303739373831363237323836396631353733646365393163 34643434663235313565333839666336653763363965316535333332333164353463626562656266 6566373930623836633364616234626461313236663139356166
So to decrypt this file you need to use ansible-vault decrypt playbook.yml
command as shown below. Here you need to provide the vault password which you have given during encryption to decrypt the file.
[root@localhost ~]# ansible-vault decrypt playbook.yml Vault password: Decryption successful
Once the correct password is given you can see the decrypted file using cat playbook.yml
command as shown below.
[root@localhost ~]# cat playbook.yml --- - name: Update NTP Packages hosts: App Servers remote_user: root tasks: - name: Update NTP Version to Latest Version yum: name: ntpd state: latest - name: Provide NTP Configuration template: src: /var/ntp.detail dest: /etc/ntpd.conf
Example 9: How to Change the Playbook Password using ansible-vault
If you want to change the Vault password of a playbook file then you need to use below ansible-vault command. In this example, we are changing the vault password of secrets.yml
file using ansible-vault rekey secrets.yml
command as shown below. This step requires you to provide current vault password. Without providing current vault password you won't able to provide the new password.
[root@localhost ~]# ansible-vault rekey secrets.yml Vault password: New Vault password: Confirm New Vault password: Rekey successful
rekey: re-encrypt a vaulted file with a new secret, the previous secret is required. More on ansible-vault Man Page.
Example 10: How to Edit an Encrypted File in Ansible using ansible-vault
If you want to edit a file after encryption then you need to use below ansible-vault command. In this example, we are editing secrets.yml file using ansible-vault edit secrets.yml
command as shown below.
[root@localhost ~]# ansible-vault edit secrets.yml Vault password: Hi, This is my secret
edit: open and decrypt an existing vaulted file in an editor, that will be encrypted again when closed. More on ansible-vault Man Page.
Example 11: How to Encrypt String in Ansible using ansible-vault command
Like files, you can also encrypt variables or strings using ansible-vault command. In this example we are trying to encrypt a string "This is from CyberITHub"
using ansible-vault encrypt string command as shown below.
[root@localhost ~]# ansible-vault encrypt_string New Vault password: Confirm New Vault password: Reading plaintext input from stdin. (ctrl-d to end input) This is from CyberITHub !vault | $ANSIBLE_VAULT;1.1;AES256 64663038623134353439356139323966653732366138626266353933373031353362306232343838 6338316338616330663537663735663764343436386662350a326566666364636138356461643336 38333337613963383934616264313836356434656265623438393161346163363264666232336334 6331646162316437660a363831613631636439353232303265323935306237313931303861393930 30393534353332326137666462613436643761396364653032393666326563383764 Encryption successful
You can use other parameters with encrypt_string like --vault-password-file
to pass the password from a file to encrypt a string.
[root@localhost ~]# ansible-vault encrypt_string --vault-password-file pass.txt 'secret_pass' --name 'secret' secret: !vault | $ANSIBLE_VAULT;1.1;AES256 34656530313633666438656430383031363031633332656261343237613035316231333632643230 3637366239306534303636643736376439353262626337370a306631613164323364373161303930 38336661393365393431623332383335363965626466653966323439363237623037356539393437 6130616662373237310a653138323134643130373162343962363262336461626138323336663634 3462 Encryption successful
Example 12: How to Change output File Name for Encrypt/Decrypt
If you want to change the output file name for encryption or decryption then you need to use --output option as shown below. In this example we are encrypting playbook.yml
with different file name playbook2.yml
using ansible-vault encrypt playbook.yml --output playbook2.yml
command as shown below. This method is used when you want to save the original file as it is and create encrypted output in another file.
[root@localhost ~]# ansible-vault encrypt playbook.yml --output playbook2.yml New Vault password: Confirm New Vault password: Encryption successful [root@localhost ~]# ls -lrt playbook playbook2.yml playbook.yml
Now if you check the source file again then you can see it is not encrypted and is still in text form.
[root@localhost ~]# cat playbook.yml --- - name: Update NTP Packages hosts: App Servers remote_user: root tasks: - name: Update NTP Version to Latest Version yum: name: ntpd state: latest - name: Provide NTP Configuration template: src: /var/ntp.detail dest: /etc/ntpd.conf
But if you check the output file playbook2.xml
then you can see here the encrypted output of playbook.xml
file.
[root@localhost ~]# cat playbook2.yml $ANSIBLE_VAULT;1.1;AES256 36656361363366363437363230633931633936323164623337643936633838346132316264303838 3265623531326162663737383131306531326334313534630a313131336466383238636365336637 38646430616464386436393134623164303364633933646537363564666633333536646234353339 6239363737353333340a356131363239613832323731363631643332373562326634626366353936 64396430393862623566323236313362303838623539316636373034616630376136393966313433 63396239333232383835636138626339393330633935326339373566323633383539303038666665 35613738643331336532343163616238373431613530626439653665653634366466366662376333 61353131343439303433383737383365303933343861313362323264623437333162393061646637 30666234386132623366653935336532653963666462303636333064313162653534323033643434 35383065356432333662333638353336343734323665376363323266626130653936386530633431 64353266653430613837373733306335653336396162366663666432386163626638376162306362 37353434343934613435356665333732653436623361626662383035613164653734643961343935 37613966636537376166353765343036323530353134316565663630366631623462396665333864 66653461353235633136383264303766633865653435643061666538333066336264373630343538 35316264313431363531393934383632356630653364633061393236396162343538353638646461 63366638376365633336363636616261323764313365393137373337623764383862313830343436 39353730383139313031366530363930656534626363646665636638373666363836396432616534 6430613161643033396436366561303762623566636336383537
Example 13: How to Use Verbose Option with Encryption/Decryption
If you want to see the backend operations performed by ansible-vault command then you need to use verbose(-v)
option with encryption/decryption as shown below.
[root@localhost ~]# ansible-vault encrypt playbook.yml -v --output playbook2.yml Using /etc/ansible/ansible.cfg as config file New Vault password: Confirm New Vault password: Encryption successful
-v : verbose mode. More on ansible-vault Man Page.
You can also check the default value set in the ansible configuration file using vi /etc/ansible/ansible.cfg
as shown below.
[root@localhost ~]# vi /etc/ansible/ansible.cfg # config file for ansible -- https://ansible.com/ # =============================================== # nearly all parameters can be overridden in ansible-playbook # or with command line flags. ansible will read ANSIBLE_CONFIG, # ansible.cfg in the current working directory, .ansible.cfg in # the home directory or /etc/ansible/ansible.cfg, whichever it # finds first [defaults] # some basic default values... #inventory = /etc/ansible/hosts #library = /usr/share/my_modules/ #module_utils = /usr/share/my_module_utils/ #remote_tmp = ~/.ansible/tmp #local_tmp = ~/.ansible/tmp #plugin_filters_cfg = /etc/ansible/plugin_filters.yml #forks = 5 #poll_interval = 15 #sudo_user = root #ask_sudo_pass = True #ask_pass = True #transport = smart #remote_port = 22 #module_lang = C #module_set_locale = False
Example 14: How to Check all the options available with ansible-vault command
If you want to check all the options available with ansible-vault command then you need to use ansible-vault --help
command as shown below.
[root@localhost ~]# ansible-vault --help usage: ansible-vault [-h] [--version] [-v] {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ... encryption/decryption utility for Ansible data files positional arguments: {create,decrypt,edit,view,encrypt,encrypt_string,rekey} create Create new vault encrypted file decrypt Decrypt vault encrypted file edit Edit vault encrypted file view View vault encrypted file encrypt Encrypt YAML file encrypt_string Encrypt a string rekey Re-key a vault encrypted file optional arguments: --version show program's version number, config file location, configured module search path, module location, executable location and exit
Example 15: How to Check the Man Page of ansible-vault command
If you want to check the man page of ansible-vault command then you need to use man ansible-vault
command as shown below.
[root@localhost ~]# man ansible-vault ANSIBLE-VAULT(1) System administration commands ANSIBLE-VAULT(1) NAME ansible-vault - encryption/decryption utility for Ansible data files SYNOPSIS usage: ansible-vault [-h] [--version] [-v] {create,decrypt,edit,view,encrypt,encrypt_string,rekey} DESCRIPTION can encrypt any structured data file used by Ansible. This can include group_vars/ or host_vars/ inventory variables, variables loaded by include_vars or vars_files, or variable files passed on the ansible-playbook command line with -e @file.yml or -e @file.json. Role variables and defaults are also included! Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault. If you'd like to not expose what variables you are using, you can keep an individual task file entirely encrypted. COMMON OPTIONS --version show program's version number, config file location, configured module search path, module location, executable location and exit -h, --help show this help message and exit -v, --verbose verbose mode (-vvv for more, -vvvv to enable connection debugging)
Popular Recommendations:-
Solved: nrpe.service: main process exited, code=exited, status=2/INVALIDARGUMENT
C# data types with Best Examples (.NET v4.7)
How to Transfer Files to an AWS EC2 Instance Using WinSCP in 3 Easy Steps
Learn HTML Image Maps(v5) with Best Examples
Learn HTML Tables(v5) with Best Examples
How to Install PHP on RedHat/CentOS 7 with Easy Steps