Skip to content
This repository has been archived by the owner on Mar 25, 2021. It is now read-only.

Encrypting sensitive data

Jump to bottom
Mauro González edited this page Jan 16, 2018 · 2 revisions

You can encrypt sensitive data saved in your playbooks variables using Ansible vault.

This could be done using a password or a text file with your password. For this examples we are going to use a password file:

  • Password file:
# filename: vault_file
mysupersecretpassword
  • Variables file:
# filename: my_vars.yml
my_var: sensitive!!!
my_var_2: something in the wind

To encrypt a YAML file:

Encrypt:

$ ansible-vault encrypt --vault-password-file vault_file my_vars.yml

The result will be something like:

# filename: my_vars.yml
$ANSIBLE_VAULT;1.1;AES256
66386439653236336462626566653063336164663966303231363934653561363964363833313662
6431626536303530376336343832656537303632313433360a626438346336353331386135323734
62656361653630373231613662633962316233633936396165386439616533353965373339616234
3430613539666330390a313736323265656432366236633330313963326365653937323833366536
34623731376664623134383463316265643436343438623266623965636363326136

To encrypt a string:

Encrypt:

$ ansible-vault encrypt_string --vault-id vault 'sensitive!!!' --name 'my_var'

The output is something like:

my_var: !vault |
      $ANSIBLE_VAULT;1.2;AES256;dev
      30613233633461343837653833666333643061636561303338373661313838333565653635353162
      3263363434623733343538653462613064333634333464660a663633623939393439316636633863
      61636237636537333938306331383339353265363239643939666639386530626330633337633833
      6664656334373166630a363736393262666465663432613932613036303963343263623137386239
      6330

Then you can add this value to your file:

# filename: my_vars.yml
my_var: !vault |
      $ANSIBLE_VAULT;1.2;AES256;dev
      30613233633461343837653833666333643061636561303338373661313838333565653635353162
      3263363434623733343538653462613064333634333464660a663633623939393439316636633863
      61636237636537333938306331383339353265363239643939666639386530626330633337633833
      6664656334373166630a363736393262666465663432613932613036303963343263623137386239
      6330
my_var_2: something in the wind

Playbook with encrypted data

Run an ansible-playbook with encrypted files:

$ ansible-playbook -i SOME_INVENTORY --vault-password-file vault_file PLAYBOOK.yml
Clone this wiki locally