Ansible Vault allows keeping encrypted data in Playbooks

February 19, 2014 by Michael DeHaan


Introducing Ansible Vault

Ansible 1.5, which will release in a few weeks, adds a new command-line tool “ansible-vault”, and a new /usr/bin/ansible and /usr/bin/ansible-playbook option, “--ask-vault-pass”.

The idea here is pretty simple -- there is often a need to keep in configuration files, for use in playbooks and templates, certain data that you don’t want to expose in source control.

To give credit where credit is due, this feature isn’t *exactly* a new idea. Chef has a feature called “encrypted data bags”, for instance, though “vault” adds Ansible’s own flavor to it.

To do this, instead of opening your favorite editor, run the following command, which will launch the editor defined by your $EDITOR, or will default to vim if this is not set:

ansible-vault create vars.yml

The tool will ask you for a password to encrypt the file with. To edit it again later:

 ansible-vault edit vars.yml

And to run a playbook that uses encrypted data:

 ansible-playbook site.yml --ask-vault-pass

Should you get the vault password wrong, you’ll get a friendly error message.

What can be encrypted? Lots of things. group_vars and host_vars files, vars_files, things included with “include_vars”, and even individual playbooks or task files. Basically everything that is YAML in Ansible can be used with ansible-vault. It’s really generic.

There are a few extra commands. Suppose you have a vault-encrypted file and want to change the password?

ansible-vault rekey vars.yml 

Or if you want to encrypt an existing plaintext file?

ansible-vault encrypt vars.yml

Or to permanently decrypt an existing file?

ansible-vault decrypt vars.yml

If you want to encrypt, decrypt, or rekey multiple files at the same time, you can do this as follows:

ansible-vault [encrypt|decrypt|rekey] vars1.yml vars2.yml vars3.yml

So that’s ansible-vault! We hope you enjoy using it. If you would like to try it out now, check out the “devel” branch of the github repo, and: 

source ./hacking/env-setup

Thanks to James Tanner for a lot of great work on this feature, and for lots of folks on the ansible-project list for being a great sounding board. Please direct any questions and ideas to the mailing list. Thanks!

Related News

Confessions Of Full Stack DevOp | Ansible's Architecture: Beyond Configuration Management | AnsibleWorks Galaxy Is Now Available | Ansible Community Momentum Continues With The Hiring Of Greg DeKoenigsberg


Configuration Management


Michael DeHaan

Ansible project founder.

rss-icon  RSS Feed