15. Ansible Vault

15.1. How to store sensitive data

  • keeping sensitive data such as passwords or keys in encrypted files
  • ansible-vault is used to manage encrypted files
  • use the command line flag --ask-vault-pass with ansible and ansible-playbook
  • you can define a file with your password with –-vault-password-file

Hint

You can specify the location of a password file in the ansible.cfg

15.1.1. What Can Be Encrypted

  • any structured data file used by Ansible can be encrypted

    • group_vars
    • host_vars
    • inventory variables
    • include_vars
    • vars_files
    • role variables / default

  • Ansible tasks, handlers, etc. are also data, so these can be encrypted with vault as well

15.1.2. How to use ansible-vault

# create a new vault group variable file
ansible-vault create vault.yml

# decrypt a vault file
ansible-vault decrypt vault.yml

# edit a vault file
ansible-vault edit vault.yml

# encrypt a file
ansible-vault encrypt vault.yml

# view an encrypted vault file
ansible-vault view vault.yml

# change the password for a vault file
ansible-vault rekey vault.yml

To run playbook with encrypted files, use the option --ask-vault-pass.

# run a playbook and ask for the vault password
ansible-playbook play.yml --ask-vault-pass

Hint

Speed Up Vault Operations with the cryptography package.

Hint

Set ”no_log: true” per task, to ensure the content is not logged!

15.1.3. Encrypt a string

  • it’s also possible to only encrypt a single string and not the whole file
ansible-vault encrypt_string
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input)
mypassword
!vault |
      $ANSIBLE_VAULT;1.1;AES256
      33353164326334623734376262663532643238653232623666383035336134626137363233646661
      6635353632633765333436333137393636636131323938330a656464643666386666303338316138
      35373864373865343830663363663066346435616434356266383265613964623563373063656135
      6566396333663537370a396338613738613139343631323266393339346338623935323763306462
      6532
Encryption successful

15.1.4. Layer of indirection

  • For every sensitive variable, you should create a prefixed duplicate that goes in an encrypted file. See Ansible Docs
  • if you search a variable and use grep or other tools, you will find the variable definition
# file: group_vars/web/vars.yml
---
web_password: '{{ vault_web_password }}'

# file: group_vars/web/vault.yml
---
vault_web_password: 'myStrongPassword'

# encrypt the vault.yml
ansible-vault encrypt vault.yml