Ansible - Encrypt and Decrypt files

February 28, 2019

Ansible provide an easy way to encrypt or decrypt files to keep sensitive data in our playbooks. For example, you can have a template which has some username and password and you can keep encrypted.

Vault password file

Create a vault password file for encrypt and decrypt.

$ echo "some long password here" > ~/ansible_key

Create a yaml file variables.yml with sensitive data, for example with an username and password.

---
username: pepe
password: A*07^&%%#!

Encrypt

Encrypt the yaml file variables.yml which contains sensitive data.

$ ansible-vault decrypt \ 
    --vault-password-file=~/ansible_key \
    variables.yml

Encryption successful
$ cat ~/variables.yml

$ANSIBLE_VAULT;1.1;AES256
35323331326264316238616131386462666330363037663230316335343263313630636132383933
6339386537326461336465393930323237326661303331310a306361363365373131646136376661
37376266663139303964313838306432636630313137653466663264633539666365633332313337
3831353836656130620a643032373137646261393561383264323039323030633530636363643733
39646332373737613162353764336633323464373663396631396432613335343263613262326337
3861376563626330343039393866313861383964383431623137

Decrypt

Decrypt a the yaml file variables.yml.

$ ansible-vault decrypt \ 
    --vault-password-file=~/ansible_key \
    variables.yml