Ansible Vault

nasirhm profile image Nasir Hussain ・3 min read

Introduction to Ansible Vault

It's a feature of Ansible that allows you to hide sensitive data (Credentials) Into Encrypted files rather than Playbooks or Roles. Ansible automatically decrypts vault-encrypted content at runtime when the key is provided.

Ansible Immage, Thumbnail

Why Ansible Vault?:

Ansible had no mechanism in which users can encrypt data such as a Playbook and Role and if any third-party module for encryption was used, it caused many problems in terms of Encrypting the Data and Decrypting it at times of Execution, this lead to the idea of a Utility which can fix this gap and provide better functionality with Ansible

What is Ansible Vault?

Vault is a mechanism that allows encrypted content to be incorporated transparently into Ansible workflows. A utility called ansible-vault secures confidential data by encrypting it on disk. To integrate these secrets with regular Ansible data, both the ansible and ansible-playbook commands.
It uses the AES256 algorithm to provide symmetric encryption keyed to a user-supplied password. This means that the same password is used to encrypt and decrypt content, which is helpful from a usability standpoint.

Now that you understand a bit about what Vault is, we can start discussing the tools Ansible provides, and how you can use it for your Ansible workflows.

Prerequisite :

Ansible on a Non-Root user with sudo Access. If you don't have Ansible installed kindly check this Link.

Let's Dive in

Setting up the EDITOR

As a Newbie, Most people on Linux are either not Familiar with vi or vim, so they prefer to use nano and some other easy and simple Editor. So to change your environment according to your needs, Here's how you can do it.

To set the editor for an individual command, prepend the command with the environment variable assignment, like this:

$ EDITOR=nano ansible-vault . . .

To Keep this change persistent you would have to do the following:

$ nano ~/.bashrc

In ~/.bashrc , add the following to the End of File. it will change your default EDITOR to whatever editor is defined.

export EDITOR=nano

Save and Close the file,
Source the File to change it in Current Session:

$ . ~/.bashrc

To ensure you have your desired EDITOR configured Please do the Following:

$ echo $EDITOR

It would result in nano

You're set with the Editor Now,

Now, Let's start with a File generated by ansible-vault.

Creating New Encrypted file:

$ ansible-vault create vault.yml

Enter Passsword and you're ready to go.

as you can see by ls you would see the file as vault.yml you can add some text to it and then to verify the encryption function, You can do the following:

$ cat vault.yml

And you would see some encrypted Text.

To Encrypt an Existing file :

$ ansible-vault encrypt file.txt

Instead of opening an editing window, ansible-vault will encrypt the contents of the file and write it back to disk, replacing the unencrypted version.

Type the Password and you're ready to go Again with that file.

Viewing Encrypted file :

You can do it easily by the functionality provided by Ansible-Vault :

$ ansible-vault view vault.yml

It would ask for the Password and by entering the right credential you would be able to see the contents of the files in the terminal.

Editing Encrypted file :

It's pretty easy to edit it on Terminal while having your best configurations in.

$ ansible-vault edit vault.yml

Again by writing the right credential you would be able to edit it on your default editor, that's the reason we changed our editor to nano.

Decrypting Encrypted file :

To manually Decrypt, Ansible's got your back this time too :

$ ansible-vault decrypt vault.yml

It's not recommended to decrypt, Decrypt it if you don't want to encrypt it again by the same scheme rather use view and edit functions.


Your projects should have all of the information required to successfully install and configure complex systems. However, some configuration data is by definition sensitive and should not be publicly exposed. In this guide, we demonstrated some basic functionality used to encrypt and decrypt valuable data which we can further use in our Playbooks and Roles.

If you want to go to more Depth of Ansible-Vault, I would recommend checking the following links:
Ansible Documentation
Article on Digital Ocean


Editor guide