This repository has been archived by the owner on Mar 25, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
Encrypting sensitive data
Mauro González edited this page Jan 16, 2018
·
2 revisions
You can encrypt sensitive data saved in your playbooks variables using Ansible vault.
This could be done using a password or a text file with your password. For this examples we are going to use a password file:
- Password file:
# filename: vault_file
mysupersecretpassword
- Variables file:
# filename: my_vars.yml
my_var: sensitive!!!
my_var_2: something in the wind
Encrypt:
$ ansible-vault encrypt --vault-password-file vault_file my_vars.yml
The result will be something like:
# filename: my_vars.yml
$ANSIBLE_VAULT;1.1;AES256
66386439653236336462626566653063336164663966303231363934653561363964363833313662
6431626536303530376336343832656537303632313433360a626438346336353331386135323734
62656361653630373231613662633962316233633936396165386439616533353965373339616234
3430613539666330390a313736323265656432366236633330313963326365653937323833366536
34623731376664623134383463316265643436343438623266623965636363326136
Encrypt:
$ ansible-vault encrypt_string --vault-id vault 'sensitive!!!' --name 'my_var'
The output is something like:
my_var: !vault |
$ANSIBLE_VAULT;1.2;AES256;dev
30613233633461343837653833666333643061636561303338373661313838333565653635353162
3263363434623733343538653462613064333634333464660a663633623939393439316636633863
61636237636537333938306331383339353265363239643939666639386530626330633337633833
6664656334373166630a363736393262666465663432613932613036303963343263623137386239
6330
Then you can add this value to your file:
# filename: my_vars.yml
my_var: !vault |
$ANSIBLE_VAULT;1.2;AES256;dev
30613233633461343837653833666333643061636561303338373661313838333565653635353162
3263363434623733343538653462613064333634333464660a663633623939393439316636633863
61636237636537333938306331383339353265363239643939666639386530626330633337633833
6664656334373166630a363736393262666465663432613932613036303963343263623137386239
6330
my_var_2: something in the wind
Run an ansible-playbook with encrypted files:
$ ansible-playbook -i SOME_INVENTORY --vault-password-file vault_file PLAYBOOK.yml