Red Hat Ansible for Network Automation
After completing this section, you should be able to:
Create a new encrypted file or encrypt an existing file using Ansible Vault.
View, edit, or change the password on an existing file encrypted with Ansible Vault.
Remove encryption from a file that has been encrypted with Ansible Vault.
Ansible needs information in order to manage systems. This may include sensitive data such as passwords or private keys (including API keys). When secrets are stored in files as plain text, users with read access to the file system where the files are stored, or to version control systems that do not exclude the files, can see them.
There are at least two ways to store the data more safely:
Use Ansible Vault, which is included with Ansible and can encrypt and decrypt any structured data file used by Ansible.
Use a third-party encryption or key management tool or service to store the data.
In this section, you will learn how to use Ansible Vault.
What can you do with Ansible vault? How do you do it?
Here are some of the things you can do with Ansible Vault:
Encrypt a string
Create a new encrypted file
Encrypt an existing file
View an encrypted file without opening it for editing
Edit an encrypted file
Change the Vault password for an encrypted file
Permanently decrypt an encrypted file
Provide the Vault password to a play so it can read data from encrypted files
Get the Vault password from a password file instead of providing it interactively
To encrypt a string, use this syntax:
[user@host ~]$ansible-vault encrypt_string "Vault password:a string to be encrypted."secret
Strings encrypted in this manner can be embedded in inventory files and variable files (including group and host variable files). When the Vault password has been provided, Ansible automatically decrypts strings found in such files.
To create a new encrypted file:
[user@host ~]$ansible-vault create secret.ymlNew Vault password:redhatConfirm New Vault password:redhat
This prompts you for the new Vault password and then opens a file using the default editor.
To encrypt one or more existing files, use the following command:
[user@host ~]$ansible-vault encrypt secret1.yml secret2.ymlNew Vault password: redhat Confirm New Vault password: redhat Encryption successful
To view an encrypted file without opening it for editing, use the following command:
[user@host ~]$ansible-vault view secret1.ymlVault password:redhat
To edit an existing encrypted file, use the command syntax below. It decrypts the file to a temporary file and lets you edit the file. When saved, it copies the content and removes the temporary file.
[user@host ~]$ansible-vault edit secret.ymlVault password:redhat
Important
The edit subcommand always rewrites the file, so it should only be used when making changes.
This can have implications when the file is kept under version control.
The view subcommand should always be used to see the file's contents without making changes.
To change the Vault password for an encrypted file or files:
[user@host ~]$ansible-vault rekey secret.ymlVault password:redhatNew Vault password:RedHatConfirm New Vault password:RedHatRekey successful!
To permanently decrypt an encrypted file:
[user@host ~]$ansible-vault decrypt secret1.ymlVault password:redhatDecryption successful!
