Here is a very detailed and comprehensive tutorial on using Ansible Vault with practical, real-world examples for each subcommand.

---

Ansible Vault Tutorial

Ansible Vault is a powerful feature that allows you to encrypt sensitive data—such as passwords, keys, and secrets—within your Ansible projects. It’s especially important for keeping secrets out of version control and enabling safe collaboration on automation projects.

---

Why Use Ansible Vault?

• Security: Keeps secrets safe in your playbooks, variable files, and inventory.
• Collaboration: Share code without exposing sensitive information.
• Flexibility: Encrypt only the files or strings you need.

---

Vault Passwords

By default, Vault asks you for a password interactively, but you can also use --vault-password-file for automation.

---

Main Ansible Vault Subcommands and Usage Examples

Below, each subcommand is described with an example.

---

1. Create – Create a new encrypted file

Command:

ansible-vault create secrets.yml
Code language: CSS (css)

What it does:
Creates a new file, opens it in your $EDITOR (e.g., vim/nano), and saves it encrypted.

Example Workflow:

ansible-vault create secrets.yml
Code language: CSS (css)

• You will be prompted for a new vault password.
• The editor opens. Enter your secret variables: db_user: admin db_password: SuperSecret123
• Save and exit. Now secrets.yml is fully encrypted.

---

2. Encrypt – Encrypt an existing file

Command:

ansible-vault encrypt group_vars/all.yml

What it does:
Encrypts an existing plaintext file.

Example Workflow:

ansible-vault encrypt group_vars/all.yml

• You’ll be prompted for a password.
• The file is encrypted and can no longer be read as plain text.

---

3. Decrypt – Decrypt an encrypted file

Command:

ansible-vault decrypt secrets.yml
Code language: CSS (css)

What it does:
Decrypts a file, turning it back into readable plain text.

Example Workflow:

ansible-vault decrypt secrets.yml
Code language: CSS (css)

• Enter the vault password.
• secrets.yml is now unencrypted and can be viewed/edited by anyone.

---

4. Edit – Edit an encrypted file (without manual decrypt/re-encrypt)

Command:

ansible-vault edit secrets.yml
Code language: CSS (css)

What it does:
Decrypts the file in-memory for editing, then automatically re-encrypts it when you save and close the editor.

Example Workflow:

ansible-vault edit secrets.yml
Code language: CSS (css)

• Enter your vault password.
• File opens in your editor. Make your changes: db_password: EvenBetterSecret456
• Save and exit; file is re-encrypted.

---

5. View – View the contents of an encrypted file (read-only)

Command:

ansible-vault view secrets.yml
Code language: CSS (css)

What it does:
Allows you to read (but not edit) the contents of the encrypted file after entering the vault password.

Example Workflow:

ansible-vault view secrets.yml
Code language: CSS (css)

• Enter password.
• The contents are displayed in your terminal.

---

6. Encrypt_string – Encrypt a string to use in playbooks or variable files

Command:

ansible-vault encrypt_string 'MySecretValue' --name 'api_key'
Code language: JavaScript (javascript)

What it does:
Encrypts a single string and prints the encrypted value, suitable for inline use in YAML files.

Example Workflow:

ansible-vault encrypt_string 'MySecretValue' --name 'api_key'
Code language: JavaScript (javascript)

• Output: api_key: !vault | $ANSIBLE_VAULT;1.1;AES256 6634663264633862653737363339383739616632663837623233633637356536 6632626164656236373861303962646531346535613936390a64346664616435 ...
• Copy-paste this directly into your vars file or playbook.

---

7. Rekey – Change the password of an encrypted file

Command:

ansible-vault rekey secrets.yml
Code language: CSS (css)

What it does:
Changes the vault password on one or more encrypted files.

Example Workflow:

ansible-vault rekey secrets.yml
Code language: CSS (css)

• Enter current password.
• Enter new password.
• File is re-encrypted with the new password.

---

Vault Password Handling

• To avoid manual prompts, use: ansible-playbook site.yml --ask-vault-pass # or ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt (Be sure to secure ~/.vault_pass.txt with proper file permissions!)

---

Using Encrypted Files in Playbooks

Ansible automatically decrypts vault files if you provide the password:

# In your playbook:
- hosts: all
  vars_files:
    - secrets.yml
  tasks:
    - debug:
        msg: "The DB password is {{ db_password }}"
Code language: PHP (php)

Run with:

ansible-playbook playbook.yml --ask-vault-pass
Code language: CSS (css)

---

Summary Table: Ansible-vault Commands

Command	Purpose	Example
create	Make a new encrypted file	ansible-vault create secrets.yml
encrypt	Encrypt an existing file	ansible-vault encrypt vars.yml
decrypt	Decrypt an encrypted file	ansible-vault decrypt secrets.yml
edit	Edit an encrypted file securely	ansible-vault edit secrets.yml
view	View an encrypted file (read-only)	ansible-vault view secrets.yml
encrypt_string --name VAR	Encrypt a single string for use as a variable	ansible-vault encrypt_string 'value' --name var
rekey	Change the vault password for a file	ansible-vault rekey secrets.yml

---

Best Practices

• Only encrypt what’s sensitive (not all files).
• Keep vault passwords secure—don’t commit them to version control.
• Rotate passwords regularly using the rekey command.
• Audit encrypted files so you know what’s protected.

---

Extra: Vault IDs for Multiple Passwords (Advanced)

You can use Vault IDs to encrypt different files with different passwords (e.g., one for dev, one for prod).

Encrypt with a vault ID:

ansible-vault encrypt --vault-id dev@prompt dev-secrets.yml
ansible-vault encrypt --vault-id prod@prompt prod-secrets.yml
Code language: CSS (css)

And use both in a playbook:

ansible-playbook site.yml --vault-id dev@prompt --vault-id prod@prompt
Code language: CSS (css)

---

References

• Ansible Vault Documentation

---