Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours scrolling social media and waste money on things we forget, but won’t spend 30 minutes a day earning certifications that can change our lives.
Master in DevOps, SRE, DevSecOps & MLOps by DevOpsSchool!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Ansible: Complete Guide & Tutorial of Ansible Vault

Here is a very detailed and comprehensive tutorial on using Ansible Vault with practical, real-world examples for each subcommand.


Ansible Vault Tutorial

Ansible Vault is a powerful feature that allows you to encrypt sensitive data—such as passwords, keys, and secrets—within your Ansible projects. It’s especially important for keeping secrets out of version control and enabling safe collaboration on automation projects.


Why Use Ansible Vault?

  • Security: Keeps secrets safe in your playbooks, variable files, and inventory.
  • Collaboration: Share code without exposing sensitive information.
  • Flexibility: Encrypt only the files or strings you need.

Vault Passwords

By default, Vault asks you for a password interactively, but you can also use --vault-password-file for automation.


Main Ansible Vault Subcommands and Usage Examples

Below, each subcommand is described with an example.


1. Create – Create a new encrypted file

Command:

ansible-vault create secrets.yml
Code language: CSS (css)

What it does:
Creates a new file, opens it in your $EDITOR (e.g., vim/nano), and saves it encrypted.

Example Workflow:

ansible-vault create secrets.yml
Code language: CSS (css)
  • You will be prompted for a new vault password.
  • The editor opens. Enter your secret variables: db_user: admin db_password: SuperSecret123
  • Save and exit. Now secrets.yml is fully encrypted.

2. Encrypt – Encrypt an existing file

Command:

ansible-vault encrypt group_vars/all.yml

What it does:
Encrypts an existing plaintext file.

Example Workflow:

ansible-vault encrypt group_vars/all.yml
  • You’ll be prompted for a password.
  • The file is encrypted and can no longer be read as plain text.

3. Decrypt – Decrypt an encrypted file

Command:

ansible-vault decrypt secrets.yml
Code language: CSS (css)

What it does:
Decrypts a file, turning it back into readable plain text.

Example Workflow:

ansible-vault decrypt secrets.yml
Code language: CSS (css)
  • Enter the vault password.
  • secrets.yml is now unencrypted and can be viewed/edited by anyone.

4. Edit – Edit an encrypted file (without manual decrypt/re-encrypt)

Command:

ansible-vault edit secrets.yml
Code language: CSS (css)

What it does:
Decrypts the file in-memory for editing, then automatically re-encrypts it when you save and close the editor.

Example Workflow:

ansible-vault edit secrets.yml
Code language: CSS (css)
  • Enter your vault password.
  • File opens in your editor. Make your changes: db_password: EvenBetterSecret456
  • Save and exit; file is re-encrypted.

5. View – View the contents of an encrypted file (read-only)

Command:

ansible-vault view secrets.yml
Code language: CSS (css)

What it does:
Allows you to read (but not edit) the contents of the encrypted file after entering the vault password.

Example Workflow:

ansible-vault view secrets.yml
Code language: CSS (css)
  • Enter password.
  • The contents are displayed in your terminal.

6. Encrypt_string – Encrypt a string to use in playbooks or variable files

Command:

ansible-vault encrypt_string 'MySecretValue' --name 'api_key'
Code language: JavaScript (javascript)

What it does:
Encrypts a single string and prints the encrypted value, suitable for inline use in YAML files.

Example Workflow:

ansible-vault encrypt_string 'MySecretValue' --name 'api_key'
Code language: JavaScript (javascript)
  • Output: api_key: !vault | $ANSIBLE_VAULT;1.1;AES256 6634663264633862653737363339383739616632663837623233633637356536 6632626164656236373861303962646531346535613936390a64346664616435 ...
  • Copy-paste this directly into your vars file or playbook.

7. Rekey – Change the password of an encrypted file

Command:

ansible-vault rekey secrets.yml
Code language: CSS (css)

What it does:
Changes the vault password on one or more encrypted files.

Example Workflow:

ansible-vault rekey secrets.yml
Code language: CSS (css)
  • Enter current password.
  • Enter new password.
  • File is re-encrypted with the new password.

Vault Password Handling

  • To avoid manual prompts, use: ansible-playbook site.yml --ask-vault-pass # or ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt (Be sure to secure ~/.vault_pass.txt with proper file permissions!)

Using Encrypted Files in Playbooks

Ansible automatically decrypts vault files if you provide the password:

# In your playbook:
- hosts: all
  vars_files:
    - secrets.yml
  tasks:
    - debug:
        msg: "The DB password is {{ db_password }}"
Code language: PHP (php)

Run with:

ansible-playbook playbook.yml --ask-vault-pass
Code language: CSS (css)

Summary Table: Ansible-vault Commands

CommandPurposeExample
createMake a new encrypted fileansible-vault create secrets.yml
encryptEncrypt an existing fileansible-vault encrypt vars.yml
decryptDecrypt an encrypted fileansible-vault decrypt secrets.yml
editEdit an encrypted file securelyansible-vault edit secrets.yml
viewView an encrypted file (read-only)ansible-vault view secrets.yml
encrypt_string --name VAREncrypt a single string for use as a variableansible-vault encrypt_string 'value' --name var
rekeyChange the vault password for a fileansible-vault rekey secrets.yml

Best Practices

  • Only encrypt what’s sensitive (not all files).
  • Keep vault passwords secure—don’t commit them to version control.
  • Rotate passwords regularly using the rekey command.
  • Audit encrypted files so you know what’s protected.

Extra: Vault IDs for Multiple Passwords (Advanced)

You can use Vault IDs to encrypt different files with different passwords (e.g., one for dev, one for prod).

Encrypt with a vault ID:

ansible-vault encrypt --vault-id dev@prompt dev-secrets.yml
ansible-vault encrypt --vault-id prod@prompt prod-secrets.yml
Code language: CSS (css)

And use both in a playbook:

ansible-playbook site.yml --vault-id dev@prompt --vault-id prod@prompt
Code language: CSS (css)

References


Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x