Ctrlk

Vault

Ansible Vault

File Encryption Commands

ansible-vault create filename
ansible-vault view filename
ansible-vault edit filename
ansible-vault encrypt filename: encrypt existing file
- --output=new_filename: save encrypted file as new file
- --vault-id vars@prompt: set vars on file and prompt for password to use for encryption
ansible-vault decrypt filename
ansible-vault rekey filename: change password of an encrypted file

Using Ansible Vault

ansible-playbook --vault-id @prompt filename
- @prompt option will prompt user for Ansible vault password
ansible-playbook --vaultid vars@prompt --vault-id playbook@prompt site.yml: different files encrypted with different password

Using Ansible in Bash Shell

Put these code in ~/.bashrc or save as vault.run in same directory and use source vault.run to run it before calling vault.load

Save secret in vault.data in required directory and encrypt with ansible-vault encrypt vault.data

Usage:
- change to folder containing vault.data
- source ~/.bashrc to load functions into environment
  - or source vault.run if saving vault.run in the same folder as vault.data
- vault.load: load secret from vault, it will ask password

Reference

https://www.redhat.com/sysadmin/ansible-vault-bash-encrypt

PreviousTemplates and Filters NextRoles

Last updated 1 year ago

export EDITOR=vi

BASH_VAULT=$(pwd)/vault.data

function vault.load(){
  echo "Loading vault..."
  if [ -z "$1" ]; then
    VAULT_FILE=${BASH_VAULT}
  else
    VAULT_FILE=$1
  fi
  source <(ansible-vault view ${VAULT_FILE})
}

function vault.edit(){
  if [ -z "$1" ]; then
    VAULT_FILE=${BASH_VAULT}
  else
    VAULT_FILE=$1
  fi
  ansible-vault edit ${VAULT_FILE}
}