BACK TO ARTICLES

Ansible Automation: What is Ansible vault? How to Protect Sensitive Information (Step By Step – Examples / Screenshots)

Published on August 24, 2020

Fakhar ul Hassan

Infrastructure Consultant, Cloud Architect & Automation, DevOps, Infrastructure as Code (IaC), Ansible, Terraform

Ansible Automation: What is Ansible vault? How to Protect Sensitive Information (Step By Step – Examples / Screenshots)

What is Ansible vault?

Many times it is required to use sensitive data in Ansible playbooks / roles. This sensitive data can be:

  • Passwords
  • SSH Keys
  • SSL Certificate
  • Playbooks
  • Variables
  • etc.

Ansible provides a feature called Ansible vault to store / save such sensitive data in encrypted form. Ansible takes the encryption keys at run-time to decrypt the sensitive information automatically. Moreover, this sensitive data can be integrated with Ansible playbooks / roles. 

For example playbooks can be encrypted to protect the sensitive information:

No alt text provided for this image

Similarly, structured files can also be encrypted to protect the sensitive information:

No alt text provided for this image

Ansible Vaults Basic Examples & Running Encrypted Playbook

No alt text provided for this image

Pre-Requisites:

1- One Ansible Control Node

2- Two Ansible managed hosts (You may use as many as you want)

3- Network access between control node and managed nodes

4- Host names of all three nodes should be registered with DNS server or appropriate entries should be present in the /etc/hosts files (on all three nodes).

5- User SSH keys should have already been generated at control node and shared with managed nodes (see this article to configure SSH Keys: http://tiny.cc/ro75fz )

Note: In this article, we have used one user “fakhar” on all three nodes. Its SSH keys have been generated at control node and shared on both managed hosts. All the commands (discussed in the below section of this article) have been executed on the control node i.e. CentOS-Ctrl-Node. In the end of this article, the playbook has been executed on control node but its targets are the managed hosts (i.e. CentOS-ManHost-160 & CentOS-ManHost-170).

Encrypted File Creation & Decryption

1- Encrypt/Decrypt Using Password Only (Without Separate Password File)

Create a file (i.e. “testfile”) and encrypt it using Ansible vault command:

linux-prompt# ansible-vault create testfile

No alt text provided for this image

It will be automatically opened for writing. Please write something in it, save it and close it. See below for reference:

No alt text provided for this image

You can see the encrypted contents of the file. As shown below:

No alt text provided for this image

Now to decrypt the file, check its contents:

linux-pormpt# ansible-vault decrypt testfile

No alt text provided for this image

2- Encrypt / Decrypt Using Separate Password File

Create an un-encypted file (i.e. testfile) having some content (i.e. “Hello Fakhar!”). Create another file (i.e. vault-password) containing the password to be used for encrypting the “testfile”. Then encrypt the password file (i.e. “vault-password”) using Ansible vault command. Now use this password file (i.e. “vault-password”) to encrypt the “testfile” using Ansible vault command (see below for reference):

No alt text provided for this image

3- Encrypt & Decrypt Existing File

Consider you have a file (i.e. “testfile”) containing some content (i.e. “Hello Fakhar”). You can encrypt it using following Ansible vault command, (Note: Enter the password when prompted):

linux-prompt# ansible-vault encrypt testfile

No alt text provided for this image

You may decrypt the same file (i.e. “testfile”) using following Ansible vault command:

linux-prompt# ansible-vault decrypt testfile

No alt text provided for this image

4- View, Edit and Rekey the Existing Encrypted File

If you have encrypted the file using another password file, then use Ansible vault view command to see its content (as shown below):

linux-pormpt# ansible-vault view –vault-password-file=vault-password testfile

No alt text provided for this image

If you have encrypted the file using password, then use Ansible vault view command to see its content (Note: After displaying the content, the “testfile” will still remain encrypted. Please see the last part of the below image as well.):

linux-pormpt# ansible-vault view testfile

No alt text provided for this image

If you have encrypted the file using another password file, then use Ansible vault edit command to change/update its content (as shown below):

linux-pormpt# ansible-vault edit –vault-password-file=vault-password testfile

No alt text provided for this image

Now file is opened in edit mode (see image below):

No alt text provided for this image

If you have encrypted the file using password, then use Ansible vault edit command to change / update its content (Note: After editing the content, the “testfile” will still remain encrypted. Please see the last part of the below image as well.):

linux-pormpt# ansible-vault edit testfile

No alt text provided for this image

Now file is opened in edit mode (see image below):

No alt text provided for this image
No alt text provided for this image

If you have encrypted the file using another password file, then use Ansible vault rekey command to change its password / key (as shown below):

linux-pormpt# ansible-vault rekey –vault-password-file=vault-password –new-vault-password-file=vault-password-2 testfile

No alt text provided for this image

If you have encrypted the file using password, then use Ansible vault rekey command to change its password / key (as shown below):

linux-pormpt# ansible-vault rekey –vault-password-file=vault-password –new-vault-password-file=vault-password-2 testfile

No alt text provided for this image

Using Ansible Vault For Playbooks

Create an inventory file containing both target managed hosts, as described in prerequisites above (i.e. CentOS-ManHost-160 & CentOS-ManHost-170).

Create a playbook to check the presence of a user named “fakhar” on both target managed hosts (see image below for reference):

No alt text provided for this image

Now, create an encrypted password file (i.e. “vault-password”) containing the password to be used for playbook encryption. Then encrypt the playbook (i.e. checkUser.yml) using this password file (i.e. “vault-password”):

No alt text provided for this image

Now, run the playbook using following Ansible command:

linux-prompt# ansible-playbook -i inventory –vault-password-file=vault-password checkUser.yml

No alt text provided for this image

The encrypted playbook has been executed successfully.

Written by

Fakhar ul Hassan

Infrastructure Consultant, Cloud Architect & Automation, DevOps, Infrastructure as Code (IaC), Ansible, Terraform