Ansible Vault is a technology that allows you to encrypt values of variables or even encrypt whole files to minimise security risks associated with storing such information in your Ansible playbooks, vars files or roles.
You usually employ the ansible-vault command and supply a passphrase to encrypt and decrypt information.
Ansible Vault is a fascinating and fully implemented concept, so you can have multiple storage areas (vault-ids) and provide separate passphrases for encrypting different types of information.
Why You Should Encrypt Files
If leaking a particular file could lead to considerable security threat or loss of service - please consider whether you should be storing such information in cleartext at all. Taking this step further, in case of Ansible and Git repos storing Ansible code, quite often you’re uploading code to centralised cloud storage. So the risk of compromising data is even greater - meaning you should either avoid uploading such files or take steps to encrypt them.
What Files You Should Encrypt
Here’s just a few of the file types that I encrypt with Ansible Vault before uploading them into private GitHub repository:
private keys for webservers (they’re needed for validation on each web server that uses an SSL cert)
passwords (like DB password or any other password) - many software products expect passwords to be stored in cleartext format on the server that’s running the software. But this doesn’t mean the same credentials should stay unencrypted “at rest” in my Ansible repository - be it my deployment laptop or git repository
unique identifiers that would expose too much of my infrastructure or highlight a proprietary software name
pre-shared VPN keys - most VPNs of mine are peer-to-peer, so even with the leaked pre-shared key it would be hard to break in - but I certainly feel much better if I encrypt such keys or even hashes
Encrypting Files with Ansible Vault
Let’s assume I want to encrypt an htpasswd file for one of my servers.
Let’s encrypt it. We run the ansible-vault command, specify action - encrypt and supply the file to be encrypted - htpasswd. The command asks for a password that will later be needed to decrypt the file.
IMPORTANT: there is no way to get the original file contents if you encrypt it and forget the password. Please make a backup of the unencrypted file before doing this. Please also save the password into your password management tool (I use 1Password) before proceeding.
greys@server $ansible-vault encrypt htpasswd
New Vault password:
Confirm New Vault password:
Encryption successful
Excellent! We should have an encrypted file instead of the original one now:
This is really a topic of a separate post. I promise I’ll write one up really soon.
But if you must get an answer now - please explore the official Ansible Vault docs and also supply the --ask-vault-pass option when running your Ansible playbooks.
That’s it for now! Will try and make time to learn and write more about Ansible Vault soon.
I'm a principal consultant with Tech Stack Solutions. I help with cloud architectrure, AWS deployments and automated management of Unix/Linux infrastructure. Get in touch!
Ansible
