How To Manage Sensitive Files with ansible-vault

• The ansible-vault command is the main interface for managing encrypted content within Ansible. This command is used to initially encrypt files and is subsequently used to view, edit, or decrypt the data.

  Creating New Encrypted Files

  To create a new file encrypted with Vault, use the ansible-vault create command. Pass in the name of the file you wish to create. For example, to create an encrypted YAML file called vault.yml to store sensitive variables, you could type:

  
  ansible-vault create vault.yml
  
  
  

  You will be prompted to enter and confirm a password:

  
  Output
  New Vault password: 
  Confirm New Vault password:
  

  When you have confirmed your password, Ansible will immediately open an editing window where you can enter your desired contents.
  To test the encryption function, enter some test text:
  vault.yml

  Secret information
  

  Ansible will encrypt the contents when you close the file. If you check the file, instead of seeing the words you typed, you will see an encrypted block:

  
  cat vault.yml
  
  
  

  
  Output
  $ANSIBLE_VAULT;1.1;AES256
  65316332393532313030636134643235316439336133363531303838376235376635373430336333
  3963353630373161356638376361646338353763363434360a363138376163666265336433633664
  30336233323664306434626363643731626536643833336638356661396364313666366231616261
  3764656365313263620a383666383233626665376364323062393462373266663066366536306163
  31643731343666353761633563633634326139396230313734333034653238303166
  

  We can see some header information that Ansible uses to know how to handle the file, followed by the encrypted contents, which display as numbers.

  Encrypting Existing Files

  If you already have a file that you wish to encrypt with Vault, use the ansible-vault encrypt command instead.
  For testing, we can create an example file by typing:

  
  echo 'unencrypted stuff' > encrypt_me.txt
  
  
  

  Now, you can encrypt the existing file by typing:

  
  ansible-vault encrypt encrypt_me.txt
  
  
  

  Again, you will be prompted to provide and confirm a password. Afterwards, a message will confirm the encryption:

  
  Output
  New Vault password: 
  Confirm New Vault password:
  Encryption successful
  

  Instead of opening an editing window, ansible-vault will encrypt the contents of the file and write it back to disk, replacing the unencrypted version.
  If we check the file, we should see a similar encrypted pattern:

  
  cat encrypt_me.txt
  
  
  

  
  Output
  $ANSIBLE_VAULT;1.1;AES256
  66633936653834616130346436353865303665396430383430353366616263323161393639393136
  3737316539353434666438373035653132383434303338640a396635313062386464306132313834
  34313336313338623537333332356231386438666565616537616538653465333431306638643961
  3636663633363562320a613661313966376361396336383864656632376134353039663662666437
  39393639343966363565636161316339643033393132626639303332373339376664
  

  As you can see, Ansible encrypts existing content in much the same way as it encrypts new files.

  Viewing Encrypted Files

  Sometimes, you may need to reference the contents of a vault-encrypted file without needing to edit it or write it to the filesystem unencrypted. The ansible-vault view command feeds the contents of a file to standard out. By default, this means that the contents are displayed in the terminal.
  Pass the vault encrypted file to the command:

  
  ansible-vault view vault.yml
  
  
  

  You will be asked for the file’s password. After entering it successfully, the contents will be displayed:

  
  Output
  Vault password:
  Secret information
  

  As you can see, the password prompt is mixed into the output of file contents. Keep this in mind when using ansible-vault view in automated processes.

  Editing Encrypted Files

  When you need to edit an encrypted file, use the ansible-vault edit command:

  
  ansible-vault edit vault.yml
  
  
  

  You will be prompted for the file’s password. After entering it, Ansible will open the file an editing window, where you can make any necessary changes.
  Upon saving, the new contents will be encrypted using the file’s encryption password again and written to disk.

  Manually Decrypting Encrypted Files

  To decrypt a vault encrypted file, use the ansible-vault decrypt command.
  Note: Because of the increased likelihood of accidentally committing sensitive data to your project repository, the ansible-vault decrypt command is only suggested for when you wish to remove encryption from a file permanently. If you need to view or edit a vault encrypted file, it is usually better to use the ansible-vault view or ansible-vault edit commands, respectively.
  Pass in the name of the encrypted file:

  
  ansible-vault decrypt vault.yml
  
  
  

  You will be prompted for the encryption password for the file. Once you enter the correct password, the file will be decrypted:

  
  Output
  Vault password:
  Decryption successful
  

  If you view the file again, instead of the vault encryption, you should see the actual contents of the file:

  
  cat vault.yml
  
  
  

  
  Output
  Secret information
  

  Your file is now unencrypted on disk. Be sure to remove any sensitive information or re-encrypt the file when you are finished.