Secure Secrets with Ansible Vault: Use Encrypted Strings

Secure secrets by encrypting strings using Ansible Vault.

Some variables do not contain sensitive information. Those variables could also be instrumental when troubleshooting. And in certain situations, it might not make sense to encrypt the entire file, making discovery more difficult.

Perhaps we only want to encrypt the sensitive variables and not the whole file. Ansible Vault can do that, too.

You will create an encrypted string for the ansible_password variable and decrypt the group variable files.

  1. Generate an encrypted string variable for ansible_password. When prompted, enter the vault password.

    • Replace <Password> with the ansible user password.

    • Copy the ansible_password encrypted string value to the clipboard.

Press + to interact
echo -n '<Password>' | ansible-vault encrypt_string --stdin-name 'ansible_password'
Press + to interact
ansible_password: !vault | 
        $ANSIBLE_VAULT;1.1;AES256
36356230663365626165396563623334333164313162306430373862333838636638333735393632
6633626333363163623035343538363632373261636663610a663335633333346238333264383465
33643334383266333235333366386539383737643136323736636333633834663037363666303962
3138323239636561340a346439623364626662303833366532336533613864316266643564656430
32393764653437323534646336666235373162643731303862353564386534326234
     
Encryption successful
  1. Open linux.yml and windows.yml. Replace the ansible_password variable with the encrypted string.
---
ansible_user: ansible 
ansible_password: !vault |
        $ANSIBLE_VAULT;1.1;AES256 
  36356230663365626165396563623334333164313162306430373862333838636638333735393632 
  6633626333363163623035343538363632373261636663610a663335633333346238333264383465 
  33643334383266333235333366386539383737643136323736636333633834663037363666303962
  3138323239636561340a346439623364626662303833366532336533613864316266643564656430
  32393764653437323534646336666235373162643731303862353564386534326234
ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
Update ansible_password
  1. Verify that the variables are loading.
Press + to interact
ansible-inventory -i hosts --list --ask-vault-pass

Decryption
When using encrypted strings, the ansible-inventory does not decrypt the string.

Press + to interact
"hostvars": { 
    "ec2-50-17-205-144.compute-1.amazonaws.com": {
        "ansible_connection": "winrm", 
        "ansible_password": {
            "__ansible_vault": "$ANSIBLE_VAULT;1.1;AES256\n3635623066336562616539656362333433316431316230643037386 2333838636638333735393632\n6633626333363163623035343538363632373261636663610a663335 633333346238333264383465\n336433343832663332353333663865393837376431363237366363336 33834663037363666303962\n3138323239636561340a34643962336462666230383336653233653361 3864316266643564656430\n32393764653437323534646336666235373162643731303862353564386 534326234"
        },
        "ansible_user": "ansible", 
        "ansible_winrm_server_cert_validation": "ignore"
    },
  1. Use the debug module to output the decrypted variable. When prompted, enter the vault password.
Press + to interact
ansible all -i hosts -m debug -a "var=ansible_password" --ask-vault-pass

Shell History
 The method of using the echo command to populate the encrypted string leaves the shell history password. Please do not use it outside of testing.

You can use the following command in its stead:

ansible-vault encrypt_string --stdin-name 'ansible_password'
Hide password from shell history

Caution
Do not press Enter after supplying the string to encrypt. That will add a newline to the encrypted value.

  1. Review the hosts file and the host_vars and ensure that the files’ names and the IP addresses in the files match using the cat command.

  2. Update the passwords in the group_vars files.

  3. Review the group_vars/windows_encrypted.yml and group_vars/linux_encrypted.yml files.

We have provided these demo encrypted files for your review. The group_vars/{windows|linux}.yml will look something like the group_vars/{windows/linux}_encrypted.yml files, respectively.

  1. Run the commands.

Click on the Run button, wait for the environment to set up, and execute the commands summarized below in the widget’s terminal.

Press + to interact
# Encrypt ansible password
echo -n '<Password>' | ansible-vault encrypt_string --stdin-name 'ansible_password'
# OR
ansible-vault encrypt_string --stdin-name 'ansible_password'
## Replace the ansible password in linux.yml and windows.yml files.
# Verify variables
ansible-inventory -i hosts --list --ask-vault-pass
# Decrypt ansible_password
ansible all -i hosts -m debug -a "var=ansible_password" --ask-vault-pass
[linux] 
vm-linuxweb001.eastus.cloudapp.azure.com 
ec2-54-88-16-230.compute-1.amazonaws.com

[windows] 
vm-winweb001.eastus.cloudapp.azure.com 
ec2-54-173-157-198.compute-1.amazonaws.com
Secure secret with Ansible vault using encrypted strings

In this lesson, we introduced how you can encrypt only the secret variables instead of the entire file. We looked at the following option with the ansible-vault command:

  • encrypt_string
  • debug

Get hands-on with 1300+ tech skills courses.