ansible-vault

Encrypts & decrypts values, data structures and files within Ansible projects.

TLDR

Create a new encrypted vault file with a prompt for a password

$ ansible-vault create [vault_file]
copy

Create a new encrypted vault file using a vault key file to encrypt it

$ ansible-vault create --vault-password-file=[password_file] [vault_file]
copy

Encrypt an existing file using an optional password file

$ ansible-vault encrypt --vault-password-file=[password_file] [vault_file]
copy

Encrypt a string using Ansible's encrypted string format, displaying interactive prompts

$ ansible-vault encrypt_string
copy

View an encrypted file, using a password file to decrypt

$ ansible-vault view --vault-password-file=[password_file] [vault_file]
copy

Re-key already encrypted vault file with a new password file

$ ansible-vault rekey --vault-password-file=[old_password_file] --new-vault-password-file=[new_password_file] [vault_file]
copy

SYNOPSIS

usage: ansible-vault [-h] [--version] [-v]

{create,decrypt,edit,view,encrypt,encrypt_string,rekey} ...

DESCRIPTION

can encrypt any structured data file used by Ansible. This can include group_vars/ or host_vars/ inventory variables, variables loaded by include_vars or vars_files, or variable files passed on the ansible-playbook command line with -e @file.yml or -e @file.json. Role variables and defaults are also included!

Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault. If you'd like to not expose what variables you are using, you can keep an individual task file entirely encrypted.

COMMON OPTIONS

--version

show program's version number, config file location, configured module search path, module location, executable location and exit

-h, --help

show this help message and exit

-v, --verbose

verbose mode (-vvv for more, -vvvv to enable connection debugging)

ACTIONS

create

create and open a file in an editor that will be encrypted with the provided vault secret when closed

--ask-vault-password, --ask-vault-pass

ask for vault password

--encrypt-vault-id 'ENCRYPT_VAULT_ID'

the vault id used to encrypt (required if more than one vault-id is provided)

--vault-id

the vault identity to use

--vault-password-file, --vault-pass-file

vault password file

decrypt

decrypt the supplied file using the provided vault secret

--ask-vault-password, --ask-vault-pass

ask for vault password

--output 'OUTPUT_FILE'

output file name for encrypt or decrypt; use - for stdout

--vault-id

the vault identity to use

--vault-password-file, --vault-pass-file

vault password file

edit

open and decrypt an existing vaulted file in an editor, that will be encrypted again when closed

--ask-vault-password, --ask-vault-pass

ask for vault password

--encrypt-vault-id 'ENCRYPT_VAULT_ID'

the vault id used to encrypt (required if more than one vault-id is provided)

--vault-id

the vault identity to use

--vault-password-file, --vault-pass-file

vault password file

view

open, decrypt and view an existing vaulted file using a pager using the supplied vault secret

--ask-vault-password, --ask-vault-pass

ask for vault password

--vault-id

the vault identity to use

--vault-password-file, --vault-pass-file

vault password file

encrypt

encrypt the supplied file using the provided vault secret

--ask-vault-password, --ask-vault-pass

ask for vault password

--encrypt-vault-id 'ENCRYPT_VAULT_ID'

the vault id used to encrypt (required if more than one vault-id is provided)

--output 'OUTPUT_FILE'

output file name for encrypt or decrypt; use - for stdout

--vault-id

the vault identity to use

--vault-password-file, --vault-pass-file

vault password file

encrypt_string

encrypt the supplied string using the provided vault secret

--ask-vault-password, --ask-vault-pass

ask for vault password

--encrypt-vault-id 'ENCRYPT_VAULT_ID'

the vault id used to encrypt (required if more than one vault-id is provided)

--output 'OUTPUT_FILE'

output file name for encrypt or decrypt; use - for stdout

--show-input

Do not hide input when prompted for the string to encrypt

--stdin-name 'ENCRYPT_STRING_STDIN_NAME'

Specify the variable name for stdin

--vault-id

the vault identity to use

--vault-password-file, --vault-pass-file

vault password file

-n, --name

Specify the variable name

-p, --prompt

Prompt for the string to encrypt

rekey

re-encrypt a vaulted file with a new secret, the previous secret is required

--ask-vault-password, --ask-vault-pass

ask for vault password

--encrypt-vault-id 'ENCRYPT_VAULT_ID'

the vault id used to encrypt (required if more than one vault-id is provided)

--new-vault-id 'NEW_VAULT_ID'

the new vault identity to use for rekey

--new-vault-password-file 'NEW_VAULT_PASSWORD_FILE'

new vault password file for rekey

--vault-id

the vault identity to use

--vault-password-file, --vault-pass-file

vault password file

ENVIRONMENT

The following environment variables may be specified.

ANSIBLE_CONFIG -- Specify override location for the ansible config file

Many more are available for most options in ansible.cfg

For a full list check https://docs.ansible.com/. or use the ansible-config command.

FILES

/etc/ansible/ansible.cfg -- Config file, used if present

~/.ansible.cfg -- User config file, overrides the default config if present

./ansible.cfg -- Local config file (in current working directory) assumed to be 'project specific' and overrides the rest if present.

As mentioned above, the ANSIBLE_CONFIG environment variable will override all others.

COPYRIGHT

Copyright © 2018 Red Hat, Inc | Ansible. Ansible is released under the terms of the GPLv3 license.

SEE ALSO

ansible(1), ansible-config(1), ansible-console(1), ansible-doc(1), ansible-galaxy(1), ansible-inventory(1), ansible-playbook(1), ansible-pull(1), Extensive documentation is available in the documentation site: <https://docs.ansible.com>. IRC and mailing list info can be found in file CONTRIBUTING.md, available in: <https://github.com/ansible/ansible>

AUTHOR

Ansible was originally written by Michael DeHaan.

Copied to clipboard
Coindodo