Introduction to Ansible Vault

 

Why Ansible Vault?:

Ansible had no mechanism in which users can encrypt data such as a Playbook and Role and if any third-party module for encryption was used, it caused many problems in terms of Encrypting the Data and Decrypting it at times of Execution, this lead to the idea of a Utility which can fix this gap and provide better functionality with Ansible.

What is Ansible Vault?

Vault is a mechanism that allows encrypted content to be incorporated transparently into Ansible workflows. A utility called ansible-vault secures confidential data by encrypting it on disk. To integrate these secrets with regular Ansible data, both the ansible and ansible-playbook commands.
It uses the AES256 algorithm to provide symmetric encryption keyed to a user-supplied password. This means that the same password is used to encrypt and decrypt content, which is helpful from a usability standpoint.

Now that you understand a bit about what Vault is, we can start discussing the tools Ansible provides, and how you can use it for your Ansible workflows.

Prerequisite :

Ansible on a Non-Root user with sudo Access.

Setting up the EDITOR

As a Newbie, Most people on Linux are either not Familiar with vi or vim, so they prefer to use nano and some other easy and simple Editor. So to change your environment according to your needs, Here's how you can do it.

To set the editor for an individual command, prepend the command with the environment variable assignment, like this:

$ EDITOR=nano ansible-vault . . .

To Keep this change persistent you would have to do the following:

$ nano ~/.bashrc

In ~/.bashrc , add the following to the End of File. it will change your default EDITOR to whatever editor is defined.

export EDITOR=nano

Save and Close the file,
Source the File to change it in Current Session:

$ . ~/.bashrc

To ensure you have your desired EDITOR configured Please do the Following:

$ echo $EDITOR

You're set with the Editor Now,

Now, Let's start with a File generated by ansible-vault.

Creating New Encrypted file:

$ ansible-vault create vault.yml

Enter Passsword and you're ready to go.

as you can see by ls you would see the file as va

ult.yml you can add some text to it and then to verify the encryption function, You can do the following:

$ cat vault.yml

And you would see some encrypted Text.

To Encrypt an Existing file :

$ ansible-vault encrypt file.txt

Instead of opening an editing window, ansible-vault will encrypt the contents of the file and write it back to disk, replacing the unencrypted version.

Type the Password and you're ready to go Again with that file.

Viewing Encrypted file :

You can do it easily by the functionality provided by Ansible-Vault :

$ ansible-vault view vault.yml

It would ask for the Password and by entering the right credential you would be able to see the contents of the files in the terminal.

Editing Encrypted file :

It's pretty easy to edit it on Terminal while having your best configurations in.

$ ansible-vault edit vault.yml

Again by writing the right credential you would be able to edit it on your default editor, that's the reason we changed our editor to nano.

Decrypting Encrypted file :

To manually Decrypt, Ansible's got your back this time too :

$ ansible-vault decrypt vault.yml

It's not recommended to decrypt, Decrypt it if you don't want to encrypt it again by the same scheme rather use view and edit functions.