Cyberithub

15 ansible-vault command examples to encrypt and decrypt sensitive data/files on Linux

In this article, i will take you through 15 ansible-vault command examples to encrypt and decrypt sensitive data/files on Linux. Vault is a special feature in Ansible implemented using ansible-vault tool to encrypt all the sensitive information like password, variable, data and any other information you want to protect. This tool is frequently used to protect Ansible Playbook files and data. It used 256 bit AES algorithm to encrypt the data. There are various options that you can use with ansible-vault tool to apply the encryption/decryption which you will see in great detail in below given examples.

SYNOPSIS

usage: ansible-vault [-h] [–version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}

15 ansible-vault command examples to encrypt and decrypt sensitive data/files on Linux 1

ansible-vault command examples to encrypt and decrypt sensitive data/files on Linux

Also Read: 25 Simple and Easy Crontab Command Examples to Schedule Cron Jobs on Linux

Example 1: How to Install ansible-vault on Linux

Before using ansible-vault tool, you need to first install it in your Server. Depending on Linux version, you need to use different method to install as shown below.

On RHEL/CentOS 7

[root@localhost ~]# yum install ansible -y

On RHEL/CentOS 8

[root@localhost ~]# dnf install ansible -y

On Ubuntu 20.04

[root@localhost ~]# apt install ansible -y

NOTE:

Please note that here I am using root user to run all the below commands. You can use any user with sudo access to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide sudo access to the User.

Example 2: How to check the version of ansible-vault command on Linux

If you want to check the ansible-vault command version then you need to use ansible-vault --version command as shown below. As shown below, current ansible-vault version is 2.9.10.

[root@localhost ~]# ansible-vault --version
ansible-vault 2.9.10
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible-vault
python version = 2.7.5 (default, Apr 2 2020, 13:16:51) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

Example 3: How to Create an Encrypted File Using ansible-vault command

If you want to encrypt a file then you need to use below ansible-vault command. In this example, we are encrypting secrets.yml file using ansible-vault create secrets.yml command as shown below. Here it will ask for a new vault password to encrypt the file. This password will be later used to decrypt the file as well hence it is important to remember this password.

[root@localhost ~]# ansible-vault create secrets.yml
New Vault password:
Confirm New Vault password:

create: create and open a file in an editor that will be encrypted with the provided vault secret when closed. More on ansible-vault command Man Page.

Example 4: How to View an Encrypted File in Ansible using ansible-vault

If you want to view the contents of an encrypted file then you need to use below ansible-vault command. In this example, we are viewing the contents of secrets.yml file using ansible-vault view secrets.yml command. It will ask you to provide the Vault password which you have set during the time of file encryption.

[root@localhost ~]# ansible-vault view secrets.yml
Vault password:
Hi, This is my secret

view: open, decrypt and view an existing vaulted file using a pager using the supplied vault secret. More on ansible-vault command Man Page.

Example 5: How to Encrypt a Text File in Ansible using ansible-vault command

Let’s say I have a text file file.txt which has a single line of content "This is from CyberITHub" as shown below.

[root@localhost ~]# cat file.txt
This is from CyberITHub

Now I need to encrypt this file using ansible-vault command. This can be easily done by running ansible-vault encrypt file.txt command as shown below.

[root@localhost ~]# ansible-vault encrypt file.txt
New Vault password:
Confirm New Vault password:
Encryption successful

encrypt: encrypt the supplied file using the provided vault secret. More on ansible-vault Man Page.

If you again check the contents of file.txt after encryption then you will see the content in the encrypted form as shown below.

[root@localhost ~]# cat file.txt
$ANSIBLE_VAULT;1.1;AES256
39316231356664613363333761366238386633323462633539313335313337613836653037303263
6463343230313364333130636639343862333032306465300a313664353036303234363831363233
65323664396164646163643862373165663339636163346561656232623231633132663132346565
3031633239336533300a303832653638346130353834376131313162356265666436306639643738
66306134313335366466313437386463626538373363383738623938656162663731

As you can see from above output vault version that supports the vault ID is 1.1 and the algorithm used for encryption is 256 bits AES Cipher represented by AES256. It is known to be the strongest algorithm currently in use to secure the sensitive files and data.

Example 6: How to Decrypt an encrypted File in Ansible Using ansible-vault

Similarly, if you want to decrypt an encrypted file using ansible-vault command then you perform that activity as well. Below is our encrypted file which needs to be decrypted.

[root@localhost ~]# cat file.txt
$ANSIBLE_VAULT;1.1;AES256
39316231356664613363333761366238386633323462633539313335313337613836653037303263
6463343230313364333130636639343862333032306465300a313664353036303234363831363233
65323664396164646163643862373165663339636163346561656232623231633132663132346565
3031633239336533300a303832653638346130353834376131313162356265666436306639643738
66306134313335366466313437386463626538373363383738623938656162663731

So to decrypt the file you need to use ansible-vault decrypt file.txt command as shown below.

[root@localhost ~]# ansible-vault decrypt file.txt
Vault password:
Decryption successful

decrypt: decrypt the supplied file using the provided vault secret. More on ansible-vault Man Page.

If you check the content of file.txt file again then you can see it is now decrypted to plain text as shown below.

[root@localhost ~]# cat file.txt
This is from CyberITHub

Example 7: How to Encrypt a Playbook File in Ansible using ansible-vault command

You can also use ansible-vault to encrypt the playbook file as shown below. We have sample playbook.yml file here.

[root@localhost ~]# cat playbook.yml
---
- name: Update NTP Packages
hosts: App Servers
remote_user: root

tasks:
- name: Update NTP Version to Latest Version
yum:
name: ntpd
state: latest
- name: Provide NTP Configuration
template:
src: /var/ntp.detail
dest: /etc/ntpd.conf

Here we are encrypting the playbook.yml file using ansible-vault encrypt playbook.yml command as shown below.

[root@localhost ~]# ansible-vault encrypt playbook.yml
New Vault password:
Confirm New Vault password:
Encryption successful

Once it is encrypted, you can check the contents of playbook.yml file using cat playbook.yml command. You can see from the output that entire content is now encrypted.

[root@localhost ~]# cat playbook.yml
$ANSIBLE_VAULT;1.1;AES256
63663861323831313730336337386530616538653337356435386638386231383232346433386539
6463343466313861336435353439303665363335343563620a353166646333363562346630383236
66323531366639656166613264316663333763356636653438613033303165636662636661393332
3830306161306135320a363438383631323732666462386432373063333631643065313039363966
65353539306439303934643832306662396335303937626561393763336462386533666264636663
66653630363839323338343462306338346134386538383464303462663438653833323534633965
63643839393765356438396131353366316638636363356130663939383366626564363233306232
61366331306261343236653164396530663366306663356665346433343431363464306230383066
34333361653161386462653335623335623762386632316335666661343061363532396239613936
34633532353138383565333230633935633930303932316566666165373931633961373763306162
39386435333437373338366131373438643237356566633531616465653433383065313633663039
30333632353165343337623537366431303937313137663836653165376234356462323561316665
65626130613539376136653361333333336232376239633165363163613231306134656332663963
30353439303134386330383635303938336637383336303439326435363635323732393939326232
64656630326131363764396636613139356436643731666666613964663032323163343035626262
31356539323366306563306637626363303739373831363237323836396631353733646365393163
34643434663235313565333839666336653763363965316535333332333164353463626562656266
6566373930623836633364616234626461313236663139356166

ansible-vault tool provides multiple options with encryption feature. One of the option is --ask-vault-pass option which will prompt for the vault password to set for encryption. By default also you will get the password prompt.

[root@localhost ~]# ansible-vault encrypt playbook.yml --ask-vault-pass
New Vault password:
Confirm New Vault password:
Encryption successful

Another useful option you can use is --vault-id to provide a valid identity during encryption.

[root@localhost ~]# ansible-vault encrypt --vault-id file@prompt playbook.yml
New vault password (file):
Confirm new vault password (file):
Encryption successful

If you want to provide vault password through a file instead of giving through prompt then you need to use --vault-password-file option as shown below.

[root@localhost ~]# ansible-vault encrypt --vault-password-file pass.txt playbook.yml
Encryption successful

Example 8: How to decrypt a Playbook File Using ansible-vault

If you want to decrypt the previous example file at the destination server then you can do that by using same ansible-vault command line tool. As you can see currently playbook.yml file is currently in encrypted form.

[root@localhost ~]# cat playbook.yml
$ANSIBLE_VAULT;1.1;AES256
63663861323831313730336337386530616538653337356435386638386231383232346433386539
6463343466313861336435353439303665363335343563620a353166646333363562346630383236
66323531366639656166613264316663333763356636653438613033303165636662636661393332
3830306161306135320a363438383631323732666462386432373063333631643065313039363966
65353539306439303934643832306662396335303937626561393763336462386533666264636663
66653630363839323338343462306338346134386538383464303462663438653833323534633965
63643839393765356438396131353366316638636363356130663939383366626564363233306232
61366331306261343236653164396530663366306663356665346433343431363464306230383066
34333361653161386462653335623335623762386632316335666661343061363532396239613936
34633532353138383565333230633935633930303932316566666165373931633961373763306162
39386435333437373338366131373438643237356566633531616465653433383065313633663039
30333632353165343337623537366431303937313137663836653165376234356462323561316665
65626130613539376136653361333333336232376239633165363163613231306134656332663963
30353439303134386330383635303938336637383336303439326435363635323732393939326232
64656630326131363764396636613139356436643731666666613964663032323163343035626262
31356539323366306563306637626363303739373831363237323836396631353733646365393163
34643434663235313565333839666336653763363965316535333332333164353463626562656266
6566373930623836633364616234626461313236663139356166

So to decrypt this file you need to use ansible-vault decrypt playbook.yml command as shown below. Here you need to provide the vault password which you have given during encryption to decrypt the file.

[root@localhost ~]# ansible-vault decrypt playbook.yml
Vault password:
Decryption successful

Once the correct password is given you can see the decrypted file using cat playbook.yml command as shown below.

[root@localhost ~]# cat playbook.yml
---
- name: Update NTP Packages
hosts: App Servers
remote_user: root

tasks:
- name: Update NTP Version to Latest Version
yum:
name: ntpd
state: latest
- name: Provide NTP Configuration
template:
src: /var/ntp.detail
dest: /etc/ntpd.conf

Example 9: How to Change the Playbook Password using ansible-vault 

If you want to change the Vault password of a playbook file then you need to use below ansible-vault command. In this example, we are changing the vault password of secrets.yml file using ansible-vault rekey secrets.yml command as shown below. This step requires you to provide current vault password. Without providing current vault password you won’t able to provide the new password.

[root@localhost ~]# ansible-vault rekey secrets.yml
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful

rekey: re-encrypt a vaulted file with a new secret, the previous secret is required. More on ansible-vault Man Page.

Example 10: How to Edit an Encrypted File in Ansible using ansible-vault

If you want to edit a file after encryption then you need to use below ansible-vault command. In this example, we are editing secrets.yml file using ansible-vault edit secrets.yml command as shown below.

[root@localhost ~]# ansible-vault edit secrets.yml
Vault password:
Hi, This is my secret

edit: open and decrypt an existing vaulted file in an editor, that will be encrypted again when closed. More on ansible-vault Man Page.

Example 11: How to Encrypt String in Ansible using ansible-vault command

Like files, you can also encrypt variables or strings using ansible-vault command. In this example we are trying to encrypt a string "This is from CyberITHub" using ansible-vault encrypt string command as shown below.

[root@localhost ~]# ansible-vault encrypt_string
New Vault password:
Confirm New Vault password:
Reading plaintext input from stdin. (ctrl-d to end input)
This is from CyberITHub
!vault |
$ANSIBLE_VAULT;1.1;AES256
64663038623134353439356139323966653732366138626266353933373031353362306232343838
6338316338616330663537663735663764343436386662350a326566666364636138356461643336
38333337613963383934616264313836356434656265623438393161346163363264666232336334
6331646162316437660a363831613631636439353232303265323935306237313931303861393930
30393534353332326137666462613436643761396364653032393666326563383764
Encryption successful

You can use other parameters with encrypt_string like --vault-password-file to pass the password from a file to encrypt a string.

[root@localhost ~]# ansible-vault encrypt_string --vault-password-file pass.txt 'secret_pass' --name 'secret'
secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
34656530313633666438656430383031363031633332656261343237613035316231333632643230
3637366239306534303636643736376439353262626337370a306631613164323364373161303930
38336661393365393431623332383335363965626466653966323439363237623037356539393437
6130616662373237310a653138323134643130373162343962363262336461626138323336663634
3462
Encryption successful

Example 12: How to Change output File Name for Encrypt/Decrypt

If you want to change the output file name for encryption or decryption then you need to use --output option as shown below. In this example we are encrypting playbook.yml with different file name playbook2.yml using ansible-vault encrypt playbook.yml --output playbook2.yml command as shown below. This method is used when you want to save the original file as it is and create encrypted output in another file.

[root@localhost ~]# ansible-vault encrypt playbook.yml --output playbook2.yml
New Vault password:
Confirm New Vault password:
Encryption successful
[root@localhost ~]# ls -lrt playbook
playbook2.yml playbook.yml

Now if you check the source file again then you can see it is not encrypted and is still in text form.

[root@localhost ~]# cat playbook.yml
---
- name: Update NTP Packages
hosts: App Servers
remote_user: root

tasks:
- name: Update NTP Version to Latest Version
yum:
name: ntpd
state: latest
- name: Provide NTP Configuration
template:
src: /var/ntp.detail
dest: /etc/ntpd.conf

But if you check the output file playbook2.xml then you can see here the encrypted output of playbook.xml file.

[root@localhost ~]# cat playbook2.yml
$ANSIBLE_VAULT;1.1;AES256
36656361363366363437363230633931633936323164623337643936633838346132316264303838
3265623531326162663737383131306531326334313534630a313131336466383238636365336637
38646430616464386436393134623164303364633933646537363564666633333536646234353339
6239363737353333340a356131363239613832323731363631643332373562326634626366353936
64396430393862623566323236313362303838623539316636373034616630376136393966313433
63396239333232383835636138626339393330633935326339373566323633383539303038666665
35613738643331336532343163616238373431613530626439653665653634366466366662376333
61353131343439303433383737383365303933343861313362323264623437333162393061646637
30666234386132623366653935336532653963666462303636333064313162653534323033643434
35383065356432333662333638353336343734323665376363323266626130653936386530633431
64353266653430613837373733306335653336396162366663666432386163626638376162306362
37353434343934613435356665333732653436623361626662383035613164653734643961343935
37613966636537376166353765343036323530353134316565663630366631623462396665333864
66653461353235633136383264303766633865653435643061666538333066336264373630343538
35316264313431363531393934383632356630653364633061393236396162343538353638646461
63366638376365633336363636616261323764313365393137373337623764383862313830343436
39353730383139313031366530363930656534626363646665636638373666363836396432616534
6430613161643033396436366561303762623566636336383537

Example 13: How to Use Verbose Option with Encryption/Decryption

If you want to see the backend operations performed by ansible-vault command then you need to use verbose(-v) option with encryption/decryption as shown below.

[root@localhost ~]# ansible-vault encrypt playbook.yml -v --output playbook2.yml
Using /etc/ansible/ansible.cfg as config file
New Vault password:
Confirm New Vault password:
Encryption successful

-v : verbose mode. More on ansible-vault Man Page.

You can also check the default value set in the ansible configuration file using vi /etc/ansible/ansible.cfg as shown below.

[root@localhost ~]# vi /etc/ansible/ansible.cfg
# config file for ansible -- https://ansible.com/
# ===============================================

# nearly all parameters can be overridden in ansible-playbook
# or with command line flags. ansible will read ANSIBLE_CONFIG,
# ansible.cfg in the current working directory, .ansible.cfg in
# the home directory or /etc/ansible/ansible.cfg, whichever it
# finds first

[defaults]

# some basic default values...

#inventory = /etc/ansible/hosts
#library = /usr/share/my_modules/
#module_utils = /usr/share/my_module_utils/
#remote_tmp = ~/.ansible/tmp
#local_tmp = ~/.ansible/tmp
#plugin_filters_cfg = /etc/ansible/plugin_filters.yml
#forks = 5
#poll_interval = 15
#sudo_user = root
#ask_sudo_pass = True
#ask_pass = True
#transport = smart
#remote_port = 22
#module_lang = C
#module_set_locale = False

Example 14: How to Check all the options available with ansible-vault command

If you want to check all the options available with ansible-vault command then you need to use ansible-vault --help command as shown below.

[root@localhost ~]# ansible-vault --help
usage: ansible-vault [-h] [--version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
...

encryption/decryption utility for Ansible data files

positional arguments:
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
create Create new vault encrypted file
decrypt Decrypt vault encrypted file
edit Edit vault encrypted file
view View vault encrypted file
encrypt Encrypt YAML file
encrypt_string Encrypt a string
rekey Re-key a vault encrypted file

optional arguments:
--version show program's version number, config file location,
configured module search path, module location,
executable location and exit

Example 15: How to Check the Man Page of ansible-vault command

If you want to check the man page of ansible-vault command then you need to use man ansible-vault command as shown below.

[root@localhost ~]# man ansible-vault
ANSIBLE-VAULT(1) System administration commands ANSIBLE-VAULT(1)

NAME
ansible-vault - encryption/decryption utility for Ansible data files

SYNOPSIS
usage: ansible-vault [-h] [--version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}

DESCRIPTION
can encrypt any structured data file used by Ansible. This can include group_vars/ or host_vars/ inventory variables, variables loaded by include_vars or
vars_files, or variable files passed on the ansible-playbook command line with -e @file.yml or -e @file.json. Role variables and defaults are also
included!

Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault. If you'd like to not expose what variables you are
using, you can keep an individual task file entirely encrypted.

COMMON OPTIONS
--version
show program's version number, config file location, configured module search path, module location, executable location and exit

-h, --help
show this help message and exit

-v, --verbose
verbose mode (-vvv for more, -vvvv to enable connection debugging)

 

 

 

Popular Recommendations:-

Solved: nrpe.service: main process exited, code=exited, status=2/INVALIDARGUMENT

C# data types with Best Examples (.NET v4.7)

How to Transfer Files to an AWS EC2 Instance Using WinSCP in 3 Easy Steps

Learn HTML Image Maps(v5) with Best Examples

Learn HTML Tables(v5) with Best Examples

How to Install PHP on RedHat/CentOS 7 with Easy Steps

How to Install Ruby on Ubuntu 18.04 with Easy Steps

Easy Steps to Install GCC(C and C++ Compiler) on CentOS 7

Leave a Comment