ansible-vault

    Description

    can encrypt any structured data file used by Ansible.This can include group_vars/ or host_vars/ inventory variables,variables loaded by include_vars or vars_files, or variable filespassed on the ansible-playbook command line with -e @file.yml or -e @file.json.Role variables and defaults are also included!

    Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault.If you’d like to not expose what variables you are using, you can keep an individual task file entirely encrypted.

    The password used with vault currently must be the same for all files you wish to use together at the same time.

    Common Options

    • —new-vault-id <NEW_VAULT_ID>
    • the new vault identity to use for rekey
    • —new-vault-password-file
    • new vault password file for rekey
    • —vault-id
    • the vault identity to use
    • —vault-password-file
    • vault password file
    • —version
    • show program’s version number and exit
    • -h, —help
    • show this help message and exit
    • , —verbose
    • verbose mode (-vvv for more, -vvvv to enable connection debugging)

    create and open a file in an editor that will be encryped with the provided vault secret when closed

    • —encrypt-vault-id <ENCRYPT_VAULT_ID>
    • the vault id used to encrypt (required if more than vault-id is provided)

    decrypt

    decrypt the supplied file using the provided vault secret

    • —output

    open and decrypt an existing vaulted file in an editor, that will be encryped again when closed

    • —encrypt-vault-id <ENCRYPT_VAULT_ID>
    • the vault id used to encrypt (required if more than vault-id is provided)

    encrypt

    • —encrypt-vault-id <ENCRYPT_VAULT_ID>
    • the vault id used to encrypt (required if more than vault-id is provided)
    • —output
    • output file name for encrypt or decrypt; use - for stdout

    encrypt the supplied string using the provided vault secret

    • —encrypt-vault-id <ENCRYPT_VAULT_ID>
    • the vault id used to encrypt (required if more than vault-id is provided)
    • output file name for encrypt or decrypt; use - for stdout
    • —stdin-name <ENCRYPT_STRING_STDIN_NAME>
    • Specify the variable name for stdin
    • -n, —name
    • Specify the variable name
    • -p, —prompt
    • Prompt for the string to encrypt

    rekey

    re-encrypt a vaulted file with a new secret, the previous secret is required

    • —encrypt-vault-id <ENCRYPT_VAULT_ID>

    open, decrypt and view an existing vaulted file using a pager using the supplied vault secret

    Environment

    The following environment variables may be specified.

    ANSIBLE_CONFIG – Override the default ansible config file

    Many more are available for most options in ansible.cfg

    Files

    ~/.ansible.cfg – User config file, overrides the default config if present

    Ansible was originally written by Michael DeHaan.

    See the AUTHORS file for a complete list of contributors.

    Copyright

    Copyright © 2017 Red Hat, Inc | Ansible.

    Ansible is released under the terms of the GPLv3 License.

    See also

    ansible(1), ansible-config(1), ansible-console(1), ansible-doc(1), ansible-galaxy(1), ansible-inventory(1), ansible-playbook(1), ansible-pull(1), ansible-vault(1),