[Ansible] – How to work with encrypted data?

The ansible-vault command will be used to work with encryption and decryption of files. Following an example.

$ansible-vault create myencryptedfile.yml 
New Vault password:password 
Confirm New Vault password:password
$ansible-vault create <file> To create an encrypted file
$ansible-vault view <file> To view the content of the file
$ansible-vault edit <file>
 To edit the content of the file
$ansible-vault rekey <file>  To change the encryption password
$ansible-vault decrypt <file> –output=<new-file>  To decrypt a file
$ansible-vault encrypt <file> –output=<encrypted-file> To encrypt a file

See more about it in the Ansible docs.

How to use the vault/encrypted data in the playbooks?

Following an example of a playbook implementation to use the encrypted file.

  - user: allan
    pwd: user1
  - user: camila
    pwd: user2
- name: Example with vault files
  hosts: all
    - vars/employees.yml # Here is the encrypted data 
    - name: Creating users for each employee defined 
        name: "{{ item.user }}"
        password: "{{ item.pwd | password_hash('sha512') }}"
      with_items: "{{ employees }}"

See more about it here.

The following command is using the param –-ask-vault-pass which will ask the vault password of the file used in the playbook.

$ ansible-playbook –-ask-vault-pass playbook.yml

See more about it here.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s