Managing sensitive data securely is very important. Whether it’s passwords, API keys, or other confidential information, properly storing and accessing these secrets is crucial for maintaining the integrity and security of your systems. Ansible Vault is a powerful tool to address this challenge.
Understanding Ansible Vault
Ansible Vault is a built-in tool within the Ansible that allows you to encrypt and manage sensitive data. It ensures that confidential information remains protected while seamlessly integrating with your Ansible workflows.
Here are the key points about Ansible Vault:
- Transparent Integration: Ansible Vault allows encrypted content to be seamlessly incorporated into your Ansible playbooks and roles. It ensures that sensitive data, such as passwords and private keys, remains confidential.
- File-Level Granularity: Vault operates at the file level, meaning individual files can be either encrypted or unencrypted. This flexibility allows you to protect specific files containing sensitive information.
- AES256 Encryption: Ansible Vault uses the AES256 algorithm for symmetric encryption. You provide a password, which is then used both for encryption and decryption. This simplicity enhances usability without compromising security.
- Runtime Decryption: When executing Ansible playbooks or tasks, Ansible automatically decrypts any vault-encrypted files it encounters. This ensures that secrets are available at runtime without exposing them in plain text.
Using Ansible Vault
Before you start, here are some additional information about start using the ansible-vault command.
- Editor configuration: Set your preferred text editor for Ansible Vault. Specify the
EDITORenvironment variable to avoid surprises when editing encrypted files. - Encrypting variables: Use the
ansible-vault encrypt_stringcommand to encrypt individual values within YAML files. This allows you to keep sensitive variables secure while maintaining readability. I will teach you the file level encryption in this lesson later. - Variable-level vs. file-level encryption:
- Variable-Level: Encrypt specific variables within a file. Mix plaintext and encrypted variables as needed.
- File-Level: Encrypt entire files. Ideal for structured data files containing multiple variables.
- Password management:
- Keep track of your vault passwords. Each time you encrypt content, provide the corresponding password.
- Use the
ansible-vault createcommand to create password-encrypted files.
Unprotected, plain text variables
When you use variables in Ansible they are represented as plain text in the variable files, playbooks and other places.
The following playbook is an example for the plain text variables:
- name: Using Ansible Vault secret variables
hosts: all
vars:
var1: "this is plain text"
tasks:
- name: Displaying a plain text variable
ansible.builtin.debug:
var: var1
As you can see it, it’s not protected from the prying eyes. You have to separate the sensitive data into a different file created by the ansible-vault tool.
Ansible Vault encrypted variables
When you work with sensitive data you must protect it with using Ansible’s built-in tool, the ansible-vault.
You can create a new encrypted file with using the create argument.
ansible-vault create secrets.yaml
New Vault password:
Confirm New Vault password:
When creating the file give it a strong vault password.
In the file you can add your secrets in a YAML structure:
var2: "This is a secret, encrypted variable"
Later you can edit the file using the edit argument and providing the same strong password.
ansible-vault edit secrets.yaml
Vault password:
Let’s modify the playbook.yaml file to use the secret variable:
- name: Using Ansible Vault secret variables
hosts: all
vars:
var1: "this is plain text"
tasks:
- name: Displaying a plain text variable
ansible.builtin.debug:
var: var1
- name: Encrypted variable
ansible.builtin.debug:
var: var2
The playbook can be ran with the following parameters:
ansible-playbook -i inventory playbook.yaml --extra-vars @secrets.yaml --ask-vault-pass
The --extra-vars option followed by the variable file name, using an @ character in front of it will tell the command to load the variables from the file.
The --ask-vault-pass option will prompt for the password to decrypt the vault file.
The output will show that Ansible decrypted and used the secret variable var2.
ok: [192.168.1.91] => {
"var2": "This is a secret, encrypted variable"
}
If you try to check the contents of the Ansible Vault protected files, you will only see the cipher text:
cat secrets.yaml
$ANSIBLE_VAULT;1.1;AES256
38666362396439333061626530383866663261383263376261316537323735386665333036653339
6263303164376466396531373432613363313535373561650a656636633637613538616535643839
35663838653539353039363461343663366566623962613664653237303637396464363137363333
6134313064643735650a653365303464346131656436383862336361366564643730336563646433
65336339356137343630663666616231303065356231396330353665656337626565363832306266
61363566303662366131643364316532396662366265663338616337353565613062313965646565
623632393564386238323631313734623539
You cannot retrieve the original content without knowing the decryption password, so do NOT forget it.
Conclusion
Ansible Vault helps you to handle sensitive data confidently. By following best practices, you can seamlessly integrate encrypted content into your automation workflows, ensuring security without compromising usability.
Now you are ready to learn about how to organize your Ansible code, and how to create reusable code with Ansible Roles.
If you want to discuss the topic with other technology-minded people, join my Discord: https://discord.gg/YbSYGsQYES
Now we have an IRC channel as well: irc.libera.chat / #tomsitcafe
Tom's IT Cafe 