Secure Secrets with Ansible Vault: Use Encrypted Files

Secure secrets by encrypting files using Ansible Vault.

We'll cover the following

There is a secret we have been using. It’s the password of the Ansible user that is stored in cleartext. Having it stored in clear text isn’t good, but having it stored within a Git repository is even worse. Luckily, Ansible has a solution.

Ansible Vault

Ansible Vault is a feature that allows you to encrypt files or strings to store sensitive data such as passwords and keys. These encrypted values are safe to store in source control. They are decrypted with the following options on the Ansible commands:

  • --ask-vault-pass
  • --vault-password-file
  • --vault-id

Using encrypted files

Ansible Vault has the ability to encrypt entire files. Using Ansible Vault, you can create an encrypted file that stores the variables.

You will encrypt the linux.yml and windows.yml group variable files.

  1. Encrypt the linux.yml variable file; when prompted, enter the decrypt password. Use the following command,
Press + to interact
 ansible-vault encrypt group_vars/linux.yml
  1. View the contents of the linux.yml file.
cat group_vars/linux.yml
View linux.yml encrypted contents
  1. Edit linux.yml with Ansible vault.
Press + to interact
ansible-vault edit group_vars/linux.yml
  1. Ensure the variables are correct and exit the editor with :q.

vi editor
ansible-vault edit uses the vi editor. If you don’t want to use this to edit your variable files, decrypt the files temporarily with ansible-vault decrypt.

  1. Encrypt the windows.yml variable file, when prompted enter the decrypt password. Use the same password as before.
Press + to interact
ansible-vault encrypt group_vars/windows.yml
  1. View the encrypted file contents, when prompted enter the vault password.
ansible-vault view group_vars/windows.yml
View encrypted contents
  1. Verify the variables are loading.

When prompted, enter the vault password. Scroll through the output until you see the variables assigned to each host.

ansible-inventory -i hosts --list --ask-vault-pass
Verify the variables

  1. Review the hosts file and the host_vars and ensure that the files’ names and the IP addresses in the files match using the cat command.

  2. Update the passwords in the group_vars files.

  3. Review the group_vars/windows_encrypted.yml and group_vars/linux_encrypted.yml files.

We have provided these demo encrypted files for your review. The group_vars/{windows|linux}.yml will look something like the group_vars/{windows/linux}_encrypted.yml files, respectively.

[linux] 
vm-linuxweb001.eastus.cloudapp.azure.com 
ec2-54-88-16-230.compute-1.amazonaws.com

[windows] 
vm-winweb001.eastus.cloudapp.azure.com 
ec2-54-173-157-198.compute-1.amazonaws.com
Secure secret with Ansible vault
  1. Run the ping playbooks.

Use the following commands to execute the playbooks:

ansible-playbook ping_novars.yml -i hosts --ask-vault-pass
Execute the playbooks

Click on the Run button, wait for the environment to set up, and execute the following summarized commands in the widget’s terminal:

Press + to interact
# Encrypt linux.yml
ansible-vault encrypt group_vars/linux.yml
# View encrypted contents
cat group_vars/linux.yml
# Edit linux.yml with Ansible vault
ansible-vault edit group_vars/linux.yml
# Encrypt windows.yml
ansible-vault encrypt group_vars/windows.yml
# View encrypted contents
ansible-vault view group_vars/windows.yml
# Verify the variables are loading
ansible-inventory -i hosts --list --ask-vault-pass
# execute the ping_novars.yml playbook
ansible-playbook ping_novars.yml -i hosts --ask-vault-pass
# execute the win_ping_novars.yml playbook
ansible-playbook win_ping_novars.yml -i hosts --ask-vault-pass
# Decrypt files
#Linux
ansible-vault decrypt group_vars/linux.yml
# Windows
ansible-vault decrypt group_vars/windows.yml

Using Ansible Vault to encrypt the entire file works excellent! You can now feel good about committing the code to source control, knowing that your password is encrypted. The only downside is that you can’t view the contents without using the following options of the ansible-vault command:

  • decrypt
  • view
  • edit

In this lesson, we introduced Ansible Vault to secure your secrets using the encrypted files method. We looked into the following options that the ansible-vault command provides:

  • encrypt
  • edit
  • view
  • decrypt

Get hands-on with 1300+ tech skills courses.