ansible-vault (1) - Linux Man Pages
ansible-vault: manage encrypted ansible vars files (YAML).
ansible-vault - manage encrypted ansible vars files (YAML).
ansible-vault can encrypt any structured data file used by Ansible. This can include group_vars/ or host_vars/ inventory variables, variables loaded by include_vars or vars_files, or variable files passed on the ansible-playbook command line with -e @file.yml or -e @file.json. Role variables and defaults are also included!
Because Ansible tasks, handlers, and so on are also data, these can also be encrypted with vault. If you'd like to not betray what variables you are even using, you can go as far to keep an individual task file entirely encrypted.
The following options are available to all sub-commands:
- A file containing the vault password to be used during the encryption/decryption steps. Be sure to keep this file secured if it is used. If the file is executable, it will be run and its standard output will be used as the password.
- A file containing the new vault password to be used when rekeying a file. Be sure to keep this file secured if it is used. If the file is executable, it will be run and its standard output will be used as the password.
- Show a help message related to the given sub-command.
$ ansible-vault create [options] FILE
The create sub-command is used to initialize a new encrypted file.
After providing a password, the tool will launch whatever editor you have defined with $EDITOR, and defaults to vi. Once you are done with the editor session, the file will be saved as encrypted data.
$ ansible-vault edit [options] FILE
The edit sub-command is used to modify a file which was previously encrypted using ansible-vault.
$ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]
$ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]
The encrypt sub-command is used to encrypt pre-existing data files. As with the rekey command, you can specify multiple files in one command.
The encrypt command accepts an --output FILENAME option to determine where encrypted output is stored. With this option, input is read from the (at most one) filename given on the command line; if no input file is given, input is read from stdin. Either the input or the output file may be given as - for stdin and stdout respectively. If neither input nor output file is given, the command acts as a filter, reading plaintext from stdin and writing it to stdout.
Thus any of the following invocations can be used:
$ ansible-vault encrypt
$ ansible-vault encrypt --output OUTFILE
$ ansible-vault encrypt INFILE --output OUTFILE
$ echo secret|ansible-vault encrypt --output OUTFILE
$ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]
The decrypt sub-command is used to remove all encryption from data files. The files will be stored as plain-text YAML once again, so be sure that you do not run this command on data files with active passwords or other sensitive data. In most cases, users will want to use the edit sub-command to modify the files securely.
Copyright © 2014, Michael DeHaan
Extensive documentation is available in the documentation site: http://docs.ansible.com. IRC and mailing list info can be found in file CONTRIBUTING.md, available in: https://github.com/ansible/ansible