Ansible Vault

    To enable this feature, a command line tool - - is used to edit files, and a command line flag ( or ) is used. Alternately, you may specify the location of a password file or command Ansible to always prompt for the password in your ansible.cfg file. These options require no command line flag usage.

    For best practices advice, refer to Variables and Vaults.

    Ansible Vault can encrypt any structured data file used by Ansible. This can include “group_vars/” or “host_vars/” inventory variables, variables loaded by “include_vars” or “vars_files”, or variable files passed on the ansible-playbook command line with -e @file.yml or -e @file.json. Role variables and defaults are also included.

    Ansible tasks, handlers, and so on are also data so these can be encrypted with vault as well. To hide the names of variables that you’re using, you can encrypt the task files in their entirety.

    Ansible Vault can also encrypt arbitrary files, even binary files. If a vault-encrypted file isgiven as the src argument to the , template,, script or modules, the file will be placed at the destination on the target host decrypted(assuming a valid vault password is supplied when running the play).

    As of version 2.3, Ansible supports encrypting single values inside a YAML file, using the !vault tag to let YAML and Ansible know it uses special processing. This feature is covered in more details below.

    Creating Encrypted Files

    To create a new encrypted data file, run the following command:

    First you will be prompted for a password. The password used with vault currently must be the same for all files you wish to use together at the same time.

    After providing a password, the tool will launch whatever editor you have defined with $EDITOR, and defaults to vi (before 2.1 the default was vim). Once you are done with the editor session, the file will be saved as encrypted data.

    The default cipher is AES (which is shared-secret based).

    Editing Encrypted Files

    To edit an encrypted file in place, use the ansible-vault edit command.This command will decrypt the file to a temporary file and allow you to editthe file, saving it back when done and removing the temporary file:

    1. ansible-vault edit foo.yml

    Rekeying Encrypted Files

    Should you wish to change your password on a vault-encrypted file or files, you can do so with the rekey command:

    1. ansible-vault rekey foo.yml bar.yml baz.yml

    This command can rekey multiple data files at once and will ask for the originalpassword and also the new password.

    If you have existing files that you wish to encrypt, usethe command. This command can operate on multiple files at once:

    1. ansible-vault encrypt foo.yml bar.yml baz.yml

    Decrypting Encrypted Files

    If you have existing files that you no longer want to keep encrypted, you can permanently decryptthem by running the ansible-vault decrypt command. This command will save them unencryptedto the disk, so be sure you do not want instead:

    1. ansible-vault decrypt foo.yml bar.yml baz.yml

    Viewing Encrypted Files

    If you want to view the contents of an encrypted file without editing it, you can use the ansible-vault view command:

    1. ansible-vault view foo.yml bar.yml baz.yml

    Use encrypt_string to create encrypted variables to embed in yaml

    The command will encrypt and format a provided string into a formatthat can be included in ansible-playbook YAML files.

    To encrypt a string provided as a cli arg:

    1. ansible-vault encrypt_string --vault-id a_password_file 'foobar' --name 'the_secret'

    Result:

    1. the_secret: !vault |
    2.       $ANSIBLE_VAULT;1.1;AES256
    3.       62313365396662343061393464336163383764373764613633653634306231386433626436623361
    4.       6134333665353966363534333632666535333761666131620a663537646436643839616531643561
    5.       63396265333966386166373632626539326166353965363262633030333630313338646335303630
    6.       3438626666666137650a353638643435666633633964366338633066623234616432373231333331

    To use a vault-id label for ‘dev’ vault-id:

    Result:

    1. the_dev_secret: !vault |
    2.           $ANSIBLE_VAULT;1.2;AES256;dev
    3.           30613233633461343837653833666333643061636561303338373661313838333565653635353162
    4.           3263363434623733343538653462613064333634333464660a663633623939393439316636633863
    5.           61636237636537333938306331383339353265363239643939666639386530626330633337633833
    6.           6664656334373166630a363736393262666465663432613932613036303963343263623137386239
    7.           6330

    To encrypt a string read from stdin and name it ‘db_password’:

    1. echo -n 'letmein' | ansible-vault encrypt_string --vault-id  --stdin-name 'db_password'
    1. Reading plaintext input from stdin. (ctrl-d to end input)
    2. db_password: !vault |
    3.           $ANSIBLE_VAULT;1.2;AES256;dev
    4.           61323931353866666336306139373937316366366138656131323863373866376666353364373761
    5.           3539633234313836346435323766306164626134376564330a373530313635343535343133316133
    6.           36643666306434616266376434363239346433643238336464643566386135356334303736353136
    7.           6565633133366366360a326566323363363936613664616364623437336130623133343530333739
    8.           3039

    To be prompted for a string to encrypt, encrypt it, and give it the name ‘new_user_password’:

    1. ansible-vault encrypt_string --vault-id [email protected]/password --stdin-name 'new_user_password'

    Output:

    1. Reading plaintext input from stdin. (ctrl-d to end input)

    User enters ‘hunter2’ and hits ctrl-d.

    Result:

    1. new_user_password: !vault |
    2.           $ANSIBLE_VAULT;1.2;AES256;dev
    3.           37636561366636643464376336303466613062633537323632306566653533383833366462366662
    4.           6565353063303065303831323539656138653863353230620a653638643639333133306331336365
    5.           62373737623337616130386137373461306535383538373162316263386165376131623631323434
    6.           3866363862363335620a376466656164383032633338306162326639643635663936623939666238
    7.           3161

    See also

    Available since Ansible 2.4

    A vault id is an identifier for one or more vault secrets. Since Ansible 2.4,Ansible supports multiple vault passwords. Vault ids is a way to providea label for a particular vault password.

    Vault encrypted content can specify which vault id it was encrypted with.

    Prior to Ansible 2.4, only one vault password could be used at a time. PostAnsible 2.4, multiple vault passwords can be used each time Ansible runs, so anyvault files or vars that needed to be decrypted all had to use the same password.

    Since Ansible 2.4, vault files or vars that are encrypted with differentpasswords can be used at the same time.

    For example, a playbook can now include a vars file encrypted with a ‘dev’ vaultid and a ‘prod’ vault id.

    Providing Vault Passwords

    Since Ansible 2.4, the recommended way to provide a vault password from the cli isto use the —vault-id cli option.

    For example, to use a password store in the text file /path/to/my/vault-password-file:

    1. ansible-playbook --vault-id /path/to/my/vault-password-file site.yml

    To prompt for a password:

    To get the password from a vault password executable script my-vault-password.py:

      The value for can specify the type of vault id (prompt, a file path, etc)and a label for the vault id (‘dev’, ‘prod’, ‘cloud’, etc)

      For example, to use a password file dev-password for the vault-id ‘dev’:

      1. ansible-playbook --vault-id [email protected] site.yml

      To prompt for the ‘dev’ vault id:

      1. ansible-playbook --vault-id  site.yml

      Prior to Ansible 2.4

      To be prompted for a vault password, use the —ask-vault-pass cli option:

      1. ansible-playbook --ask-vault-pass site.yml

      To specify a vault password in a text file ‘dev-password’, use the option:

      1. ansible-playbook --vault-password-file dev-password site.yml

      There is a config option (DEFAULT_VAULT_PASSWORD_FILE) to specify a vault password file to usewithout requiring the cli option.

      If multiple vault passwords are provided, by default Ansible will attempt to decrypt vault contentby trying each vault secret in the order they were provided on the command line.

      For example, to use a ‘dev’ password read from a file and to be prompted for the ‘prod’ password:

      1. ansible-playbook --vault-id [email protected] --vault-id  site.yml

      In the above case, the ‘dev’ password will be tried first, then the ‘prod’ password for caseswhere Ansible doesn’t know which vault id is used to encrypt something.

      If the vault content was encrypted using a —vault-id option, then the label of thevault id is stored with the vault content. When Ansible knows the right vault-id, it will trythe matching vault id’s secret first before trying the rest of the vault-ids.

      There is a config option ( ) to force the vault content’s vault id label to match with one ofthe provided vault ids. But the default is to try the matching id first, then try the othervault ids in order.

      There is also a config option (DEFAULT_VAULT_IDENTITY_LIST) to specify a default list of vault ids touse. For example, instead of requiring the cli option on every use, the () config option can be used:

      1. ansible-playbook --vault-id [email protected] --vault-id  site.yml

      The —vault-id can be used in lieu of the or —ask-vault-pass options,or it can be used in combination with them.

      When using commands that encrypt content (ansible-vault encrypt, , etc)only one vault-id can be used.

      Note

      Prior to Ansible 2.4, only one vault password could be used in each Ansible run. The—vault-id option is not support prior to Ansible 2.4.

      Speeding Up Vault Operations

      By default, Ansible uses PyCrypto to encrypt and decrypt vault files. If you have many encrypted files, decrypting them at startup may cause a perceptible delay. To speed this up, install the cryptography package:

      Vault Format

      A vault encrypted file is a UTF-8 encoded txt file.

      The file format includes a newline terminated header.

      For example:

      1. $ANSIBLE_VAULT;1.1;AES256

      The header contains the vault format id, the vault format version, and a cipher id, separated by semi-colons ‘;’

      The first field $ANSIBLE_VAULT is the format id. Currently $ANSIBLE_VAULT is the only valid file format id. This is used to identify files that are vault encrypted (via vault.is_encrypted_file()).

      The second field (1.1) is the vault format version. All supported versions of ansible will currently default to ‘1.1’.

      The ‘1.0’ format is supported for reading only (and will be converted automatically to the ‘1.1’ format on write). The format version is currently used as an exact string compare only (version numbers are not currently ‘compared’).

      The third field (AES256) identifies the cipher algorithm used to encrypt the data. Currently, the only supported cipher is ‘AES256’. [vault format 1.0 used ‘AES’, but current code always uses ‘AES256’]

      Note: In the future, the header could change. Anything after the vault id and version can be considered to depend on the vault format version. This includes the cipher id, and any additional fields that could be after that.

      The rest of the content of the file is the ‘vaulttext’. The vaulttext is a text armored version of theencrypted ciphertext. Each line will be 80 characters wide, except for the last line which may be shorter.

      The vaulttext is a concatenation of the ciphertext and a SHA256 digest with the result ‘hexlifyied’.

      hexlify()’ed result of:

      • hexlify()’ed string of the salt, followed by a newline (0x0a)
      • hexlify()’ed string of the crypted HMAC, followed by a newline. The HMAC is:
        • a style HMAC
          • inputs are:
            • The AES256 encrypted ciphertext
            • A PBKDF2 key. This key, the cipher key, and the cipher IV are generated from:
              • the salt, in bytes
              • 10000 iterations
              • SHA256() algorithm
              • the first 32 bytes are the cipher key
              • the second 32 bytes are the HMAC key
              • remaining 16 bytes are the cipher IV
      • hexlify()’ed string of the ciphertext. The ciphertext is: