Ansible Vault is a feature within the Ansible automation tool that allows you to encrypt and manage sensitive data such as passwords, API keys, and private configuration details.
Key Concepts and Mechanism
Encryption: Ansible Vault uses AES256 for strong, symmetric encryption. This means the same password/key is used for both encryption and decryption.
Granularity: You can encrypt entire files (like variable files in
group_varsorhost_vars) or encrypt individual strings within a regular YAML file.Decryption: When running a playbook that references an encrypted file, you must provide the correct Vault password/key via a prompt, a password file, or a secure method like a Vault ID.
| Command | Purpose | Example |
create | Creates a new encrypted file and opens it in your default editor. | ansible-vault create secrets.yml |
encrypt | Encrypts an existing plaintext file. | ansible-vault encrypt vars.yml |
decrypt | Decrypts an encrypted file, turning it back into plaintext on disk. | ansible-vault decrypt secrets.yml |
edit | Safely edits an encrypted file. It decrypts in memory, opens in your editor, and automatically re-encrypts on save. | ansible-vault edit secrets.yml |
view | Views the contents of an encrypted file in plaintext (read-only) without decrypting it on disk. | ansible-vault view secrets.yml |
rekey | Changes the encryption password for an existing encrypted file. | ansible-vault rekey secrets.yml |
encrypt_string | Encrypts a single string for use directly inside a regular playbook or YAML file. | ansible-vault encrypt_string 'my-secret-value' --name 'my_db_pass' |
No comments:
Post a Comment