Encryption in Ansible
Hello Everyone
Welcome to CloudAffaire and this is Debjeet.
In the last blog post, we have discussed tests in Ansible.
https://cloudaffaire.com/tests-in-ansible/
In this blog post, we will discuss encryption in Ansible.
Ansible Vault:
Ansible Vault is a feature of ansible that allows you to keep sensitive data such as passwords or keys in encrypted files, rather than as plaintext in playbooks or roles. These vault files can then be distributed or placed in source control. Ansible provides command-line utility ansible-vault to encrypt and decrypt files in ansible vault. Using ansible vault, you can encrypt and decrypt files and variables and later use them in your playbook or role. Ansible encrypts your file using AES256 algorithm.
Ansible vault supports vault id and password. A vault ID is an identifier for one or more vault secrets; Ansible supports multiple vault passwords. Vault IDs provide labels to distinguish between individual vault passwords. To use vault IDs, you must provide an ID label of your choosing and a source to obtain its password (either prompt or a file path).
Next, we are going to explain encryption and decryption in ansible using a demo.
Ansible Vault Demo:
Create an encrypted file using ansible-vault
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
## Create a encrypted file using ansible-vault ansible-vault create myfile1.yml #Output: #New Vault password: mypassword #Confirm New Vault password: mypassword ## Above command will open an empty file in your default editor ## write your content and save ------------ username: debjeet password: debjeetpassword ------------ :wq |
View the content of an encrypted file
|
1 2 3 4 5 6 7 8 |
## Try to view the content of the file cat myfile1.yml ## Use ansible-vault view to view the content of the file ansible-vault view myfile1.yml #Output: #Vault password: mypassword |
Edit the encrypted file using ansible-vault
|
1 2 3 4 5 6 7 8 9 10 11 |
## Edit the encrypted file ansible-vault edit myfile1.yml #Output: #Vault password: mypassword ------------ username: debjeet password: debjeetnewpassword ------------ :wq |
Create an encrypted file using vault id
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
## You can also create the file with vault id and password at once. ansible-vault create --vault-id myvaultid@prompt myfile2.yml #Output: #New vault password (myvaultid): mypassword #Confirm new vault password (myvaultid): mypassword ## Above command will open an empty file in your default editor ## write your content and save ------------ username: alex password: alexpassword ------------ :wq ## Use ansible-vault view to view the content of the file ansible-vault view --vault-id myvaultid@prompt myfile2.yml |
Encrypt existing files using ansible-vault
|
1 2 3 4 5 6 7 8 9 10 |
## Encrypt existing files using ansible-vault echo 'password: mysecretpassword' > myfile3.yml ansible-vault encrypt myfile3.yml #or using vault id ansible-vault encrypt --vault-id myvaultid@prompt myfile3.yml #Output: #New Vault password: mypassword #Confirm New Vault password: mypassword |
Change your vault password
|
1 2 3 4 5 6 |
## Change your vault password ansible-vault rekey myfile1.yml myfile2.yml myfile3.yml #Output: #Vault password: mypassword #New Vault password: mynewpassword #Confirm New Vault password: mynewpassword |
Note: Vault password must be the same for all files to reset at once. Or you can reset password individually.
Decrypt an encrypted file using ansible-vault
|
1 2 3 4 5 6 7 8 |
## To decrypt the files ansible-vault decrypt myfile3.yml #Output: #Vault password: mynewpassword ## View the content of the file cat myfile3.yml |
Encrypt a specific string using ansible-vault
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
## Encrypt a string using ansible-vault ansible-vault encrypt_string 'mypassword' --name 'password' --ask-vault-pass #Output: #New Vault password: mypassword #Confirm New Vault password: mypassword #password: !vault | # $ANSIBLE_VAULT;1.1;AES256 # 63306138643237643539653735633765333463616539356565313166333764313938653831616635 # 3262336364656666616261663736343534653136636130370a653062633237383765616466633233 # 38313934313131613232653734363934386339653638336161623535636538396161323430343231 # 3662353336396334330a393533643030646238663734663761663365663362323161313862393330 # 6133 ## You can use this encrypted value in your ansible files resulting an encrypted variable vi myfile4.yml ----------------- user: bob password: !vault | $ANSIBLE_VAULT;1.1;AES256 63306138643237643539653735633765333463616539356565313166333764313938653831616635 3262336364656666616261663736343534653136636130370a653062633237383765616466633233 38313934313131613232653734363934386339653638336161623535636538396161323430343231 3662353336396334330a393533643030646238663734663761663365663362323161313862393330 6133 ----------------- :wq ## View the file cat myfile4.yml ## Use ansible-vault to view the content of the file ansible-vault view myfile4.yml --ask-vault-pass ****above two command will not work as the entire file is not encrypted ## Use ansible command to view the actual decrypted value ansible localhost -m debug -a var='password' -e "@myfile4.yml" --ask-vault-pass #Output: #Vault password: mypassword #you can use ansible-playbook with --ask-vault-pass to view the decrypted string |
Using ansible-vault with ansible-playbook
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
## Use ansible-vault with ansible-playbook ## Create a playbook my_playbook.yml ----------------------- - hosts: localhost gather_facts: false tasks: - include_vars: file: ./myfile3.yml name: included_variable - debug: var=included_variable ----------------------- :wq ## Execute the playbook ansible-playbook my_playbook.yml ****error: "message": "Attempting to decrypt but no vault secrets found" ## Execute the playbook with vault password ansible-playbook my_playbook.yml --ask-vault-pass |
Use a file to pass ansible-vault password
|
1 2 3 4 5 6 |
## Pass vault password from a file echo 'mypassword' > .myvaultpassword.txt chmod 400 ansible-playbook my_playbook.yml --vault-password-file ~/.myvaultpassword.txt |
Hope you have enjoyed this article. In the next blog post, we will discuss roles in Ansible.
To get more details on Ansible, please refer below Ansible documentation.