Encrypt Secrets with Ansible Vault

Intermediate8 min

Encrypt sensitive variables and files using Ansible Vault to safely store passwords, API keys, and certificates in version control.

Prerequisites

-Ansible installed
-Basic playbook knowledge

Steps

Create an encrypted variables file

Opens an editor to create a new encrypted file. You will be prompted for a vault password.

$ ansible-vault create group_vars/production/vault.yml

Use a naming convention like vault.yml to clearly mark encrypted files.

Encrypt an existing file

Encrypts a plain-text file in place. The original content is replaced with encrypted data.

$ ansible-vault encrypt group_vars/production/secrets.yml

View encrypted file contents

Displays the decrypted content without modifying the file.

$ ansible-vault view group_vars/production/vault.yml

Edit an encrypted file

Decrypts the file into a temporary buffer, opens your editor, and re-encrypts on save.

$ ansible-vault edit group_vars/production/vault.yml

Run a playbook with vault-encrypted files

Prompts for the vault password at runtime to decrypt any vault-encrypted files.

$ ansible-playbook site.yml --ask-vault-pass

Use --vault-password-file to point to a file or script that provides the password for non-interactive use in CI.

Full Script

full-script.sh

# Ansible Vault secrets management
ansible-vault create group_vars/production/vault.yml
ansible-vault encrypt group_vars/production/secrets.yml
ansible-vault view group_vars/production/vault.yml
ansible-vault edit group_vars/production/vault.yml
ansible-playbook site.yml --ask-vault-pass

FAQ

Discussion

Loading comments...

# Ansible Vault secrets management ansible-vault create group_vars/production/vault.yml ansible-vault encrypt group_vars/production/secrets.yml ansible-vault view group_vars/production/vault.yml ansible-vault edit group_vars/production/vault.yml ansible-playbook site.yml --ask-vault-pass