Sometimes we may want to encrypt only a single variable value or a short piece of text that we need to use in our playbook or role. For example, we may want to encrypt a user password or an API key, and not an entire file. Encrypting single variables is also a good idea when we keep our files in Source Control Management like Git.
Ansible Vault has a function to encrypt only parts of files, to encrypt variables instead of the whole file.
Let’s assume that we have the following sensitive data in a variables file:
db_user: admin
db_password: secret
To encrypt the db_password value using Ansible Vault, we can run the following command:
ansible-vault encrypt_string --name 'db_password' 'secret'
This will prompt us to enter and confirm a password for encryption. After entering the password, we will see something like the following text on our console:
db_password: !vault |$ANSIBLE_VAULT;1.1;AES256
66386134653765386262643264393164663937633761653064393838353933356461303366623361
3666363531626164336333303338343535396333383235640a316438346439383539666331343835
62396130376439346266373837343731636265623439653265356139316561386432373634333636
3135623639343538370a313036616230333933623637343638386430303538633434376261326634
6466
Encryption successful
The output shows the encrypted value of db_password with the !vault tag and a header indicating the encryption algorithm and version $ANSIBLE_VAULT;1.1;AES256.
We can copy and paste this output into our variable file vars.yml to replace the original plain text value:
db_user: admin
db_password: !vault |$ANSIBLE_VAULT;1.1;AES256
66386134653765386262643264393164663937633761653064393838353933356461303366623361
3666363531626164336333303338343535396333383235640a316438346439383539666331343835
62396130376439346266373837343731636265623439653265356139316561386432373634333636
3135623639343538370a313036616230333933623637343638386430303538633434376261326634
6466
Now our db_password value is encrypted and safe from prying eyes.
To use it in our playbook, we just need to provide the same password that we used for encryption when running Ansible commands.
For example:
ansible-playbook -i inventory --ask-vault-pass playbook.yml
This will prompt us to enter the vault password before executing the playbook. Alternatively, we can store the vault password in a file (such as .vault_pass.txt) and use the --vault-password-file option to specify its location:
ansible-playbook -i inventory --vault-password-file .vault_pass.txt playbook.yml
Ansible will automatically decrypt any encrypted values in our playbook or variable files using the vault password and use them as normal strings.
Unfortunately at the time of writing this article it is impossible to edit encrypted values using Ansible Vault. The ansible-vault edit/view commands only work with encrypted files in a whole.
If we want to edit an encrypted string, then we have to create a new string instead with the use of the ansible-vault command and copy-paste it again to our variables file.
ansible-vault encrypt_string --name 'secret_element' 'life'
We can check the value of an encrypted string with the ansible command and the ansible.builtin.debug module:
ansible -i inventory ansible -m debug -a 'var=secret_element' -e @vault.yml --ask-vault-pass
Text encryption is a convenient way to secure sensitive data in our Ansible playbooks or variables without having to deal with separate encrypted files.
I hope you found this post useful and informative. If you have any questions or feedback, please feel free to leave them in the comments section below.
References:
https://docs.ansible.com/ansible/latest/vault_guide/vault_encrypting_content.html
Tom's IT Cafe 
One thought on “Handling sensitive data with Ansible Vault: encrypting strings instead of files”