Securing Sensitive Data with Ansible vault encrypt decrypt Guide


In this tutorial, How to use Ansible vault encrypt decrypt to secure sensitive data. you’ll learn how to use Ansible Vault to secure sensitive data within your configurations, an essential skill for maintaining robust security protocols. Ansible Vault encrypts variables and files to protect sensitive information like passwords and credentials from unauthorized access.

The guide covers the initial setup of Ansible Vault, including detailed steps to encrypt your data effectively. You’ll gain insights into the practical applications of these security measures in real-world scenarios.

Finally, the tutorial provides practical tips for decrypting data when necessary for your deployments. Whether you are new to Ansible or have advanced experience, understanding how to manage Vault’s encryption and decryption processes is crucial for enhancing your operational security.

Ansible vault encrypt decrypt

Encrypted files use Ansible Vault

Ansible uses the AES256 algorithm for encrypting sensitivity. We will create an encrypted file using the ansible-vault utility tool as shown.

ansible-vault create pass-file.xml

The content before the Encrypted file is shown.

cat pass-file.xml
welcome to site!

After the Encrypted file as shown.

cat pass-file.xml

We will view an Encrypted file in Ansible using ansible-vault

ansible-vault view pass-file.xml

Edit an Encrypted file using ansible-vault

ansible-vault edit pass-file.xml

Encrypt an Existing file using the Ansible vault command

ansible-vault encrypt pass-file2.xml

For example the picture below

Ansible vault encrypt decrypt example

Decrypting files Ansible

Use an ansible vault to decrypt a file or revert to plain text.

ansible-vault decrypt pass-file2.xml
Ansible vault encrypt decrypt example

Reset the Ansible vault password

ansible-vault rekey pass-file2.xml

Encrypt a playbook file in Ansible

Example Ansible Setup NFS server here. I will Encrypt file exports.j2 the content as below:

[vagrant@ansible_controller ~]$ cat ./ansible/exports.j2
# /etc/exports: the access control list for filesystems which may be exported
#   to NFS clients.  See exports(5).
/home/vagrant/nfs_test  ,sync,no_root_squash,no_subtree_check)

Encryption with vault_pass.txt as below:

[vagrant@ansible_controller ~]$ cat vault_pass.txt
[vagrant@ansible_controller ~]$ ansible-vault encrypt ./ansible/exports.j2 --vault-password-file vault_pass.txt
Encryption successful
[vagrant@ansible_controller ~]$ cat ./ansible/exports.j2

As a result, run the Ansible playbook as below:

[vagrant@ansible_controller ~]$ ansible-playbook -i ansible/hosts nfs-server.yml --vault-password-file vault_pass.txt
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details

PLAY [nfs-server] ***************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************
ok: [servernfs]

TASK [install nfs-utils] ********************************************************************************************
ok: [servernfs]

TASK [Create a mountable directory if it does not exist] ************************************************************
ok: [servernfs]

TASK [enable rpcbind nfslock nfs] ***********************************************************************************
ok: [servernfs] => (item=rpcbind)
ok: [servernfs] => (item=nfslock)
ok: [servernfs] => (item=nfs)

TASK [Copy exports file.] *******************************************************************************************
changed: [servernfs]

TASK [NFS system start] *********************************************************************************************
changed: [servernfs]

PLAY RECAP **********************************************************************************************************
servernfs                  : ok=6    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

File /etc/exports on server NFS as below:

[vagrant@servernfs ~]$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
#   to NFS clients.  See exports(5).
/home/vagrant/nfs_test  ,sync,no_root_squash,no_subtree_check)


In conclusion, using Ansible Vault for encryption and decryption is a key skill for safeguarding your sensitive data in DevOps environments. The examples provided in this guide illustrate practical applications of Ansible Vault, enhancing your security practices. We hope you find this information beneficial. Thank you for reading on the DevopsRoles page!

, ,

About HuuPV

My name is Huu. I love technology and especially Devops Skill such as Docker, vagrant, git so forth. I likes open-sources. so I created site to share the knowledge that I have learned. My Job: IT system administrator. Hobbies: summoners war game, gossip.
View all posts by HuuPV →

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.