LinuxCommandLibrary

ansible-vault

Encrypt and decrypt Ansible variables/files

TLDR

Create a new encrypted vault file with a prompt for a password

$ ansible-vault create [vault_file]
copy

Create a new encrypted vault file using a vault key file to encrypt it
$ ansible-vault create --vault-password-file [password_file] [vault_file]
copy

Encrypt an existing file using an optional password file
$ ansible-vault encrypt --vault-password-file [password_file] [vault_file]
copy

Encrypt a string using Ansible's encrypted string format, displaying interactive prompts
$ ansible-vault encrypt_string
copy

View an encrypted file, using a password file to decrypt
$ ansible-vault view --vault-password-file [password_file] [vault_file]
copy

Re-key already encrypted vault file with a new password file
$ ansible-vault rekey --vault-password-file [old_password_file] --new-vault-password-file [new_password_file] [vault_file]
copy

SYNOPSIS

ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [--vault-id [@prompt|PROMPT|PATH]] [--vault-password-file FILE] [options] [vaultfile]

PARAMETERS

--ask-vault-pass
    Prompt for vault password interactively.

--vault-id @prompt|PROMPT|PATH
    Specify vault ID (label@pass, prompt, or file path).

--vault-password-file FILE
    Read password from file.

--encrypt-vault-id NEW_VAULT
    Vault ID for new encryption (encrypt/rekey).

--output FILE
    Write output to specified file.

--stdin-name VAR
    Variable name for stdin input (encrypt_string).

--new-vault-id NEW_VAULT
    New vault ID for rekeying.

--remove
    Remove vault ID from rekey (if exists).

--help
    Show help message.

--version
    Display version info.

DESCRIPTION

ansible-vault is a command-line tool in the Ansible automation platform for securely handling sensitive data. It encrypts YAML files or strings containing secrets like passwords, API keys, certificates, and tokens, preventing exposure in version control or shared environments.

Core functions include creating new encrypted files, viewing contents without saving decrypted versions, editing files by decrypting temporarily, rekeying vaults to change passwords, and generating encrypted strings for inline playbook use. It integrates seamlessly with ansible-playbook, prompting for passwords during execution or using vault IDs for multi-key support.

Security relies on AES-256 encryption with PBKDF2-derived keys. Users can specify vault IDs (e.g., prod@prompt) for labeled vaults, enabling complex setups with multiple secrets. Best practices recommend vault password files for automation and avoiding plaintext secrets in repos.

Ideal for DevOps workflows, it balances usability and security, though it requires careful password management.

CAVEATS

Vault passwords must be managed securely; avoid committing them to version control. Limited to AES-256; no native multi-factor support. Interactive prompts halt automation without --vault-password-file.

EXAMPLE USAGE

ansible-vault create secrets.yml
ansible-vault encrypt_string 'mysecret' --name 'db_pass'
ansible-vault view secrets.yml

SECURITY NOTE

Use vault IDs like prod@~/prod_pass.txt for automation. Always verify decryption before production use.

HISTORY

Introduced in Ansible 1.5 (2014) for basic file encryption. Ansible 2.4 added vault IDs for multiple keys. Enhanced in later versions with better prompt handling and string encryption; now core to Ansible 2.10+ collections.

SEE ALSO

ansible(1), ansible-playbook(1), ansible-doc(1)

Copied to clipboard