Easy methods to Use Ansible Vault to Retailer Secret Keys


With maximum automation, credentials are had to authenticate and use protected sources. What has at all times been a problem is how highest to retailer the ones credentials securely. Ansible is an automation gadget that gives tool provisioning, configuration control, and application deployments.

As with all automation gadget, Ansible wishes a protected option to retailer secrets and techniques. On the subject of Ansible, that gadget is named (*2*)Ansible Vault. Ansible Vault supplies a cross-platform way to securely storing credentials.

Introducing Ansible Vault

Ansible Vault can be utilized to encrypt any dossier, or variables themselves, from inside of a playbook. Through default AES is used which is a shared-secret based totally encryption. Each dossier and variable encryption strategies have their advantages and disadvantages.

Report Encryption

To create a brand new encrypted dossier named secrets and techniques.yml, merely use the next ansible-vault command.

ansible-vault create secrets and techniques.yml

After prompting for a password, the ansible-vault command will release the default gadget dossier editor, which is able to lead to an encrypted dossier upon saving.


In a similar way, to encrypt a prior to now unencrypted dossier, use the next ansible-vault command. Word that this makes use of the encrypt parameter fairly than the create parameter.

ansible-vault encrypt secrets and techniques.yml

The drawback to the usage of dossier encryption is clarity. If you happen to open the dossier then you are going to to find that with out decryption, it’s unattainable to decipher the contents.

Variable Encryption

Inside of a playbook, it’s imaginable to make use of an encrypted variable via prefacing the encrypted knowledge with the !vault tag. Operating the encrypt_string argument of the ansible_vault command will lead to an encrypted string that you’ll be able to use inside of your playbooks.

ansible-vault encrypt_string 'secret_data' --name 'my_secret'

After prompting you for a password, you are going to get the next encrypted string.

my_secret: !vault | $ANSIBLE_VAULT;1.1;AES256 37636561366636643464376336303466613062633537323632306566653533383833366462366662 6565353063303065303831323539656138653863353230620a653638643639333133306331336365 62373737623337616130386137373461306535383538373162316263386165376131623631323434 3866363862363335620a376466656164383032633338306162326639643635663936623939666238 3161

Variable encryption is excellent for clarity, however the talent to make use of command line rekeying is sacrificed when the usage of this technique.

The usage of Ansible Vault in Observe

Chances are you’ll notice that the usage of Ansible Vault in manufacturing is a problem. To successfully use Ansible Vault, the next ways make this procedure more uncomplicated.

  • Unprompted Decryption
  • A couple of Vaults
  • Rekeying

Unprompted Decryption

One strategy to transparently decrypting a dossier or variable whilst the usage of Ansible is to retailer the password inside of a secure and un-versioned password dossier. To reference this saved password, merely go within the dossier location the usage of the vault-password-file parameter.

ansible-playbook --vault-password-file /trail/vault-password-file secrets and techniques.yml

This will likely decrypt any integrated encrypted information or variables the usage of the integrated password.

You will need to to not devote your plaintext password dossier into your model regulate gadget. In a similar way, offer protection to this dossier to simply the person or staff that wishes get entry to to the saved password at the dossier gadget the usage of get entry to regulate lists (ACL’s).

A couple of Vaults

Even supposing it’s handy to have a unmarried vault with the entire encrypted secrets and techniques, a greater safety apply is to split the protected credentials into separate related vaults. An instance of this might be isolating a manufacturing and building surroundings. Fortunately, Ansible Vault lets in us to create more than one vaults and references which vault the encrypted knowledge is coming from the usage of a label.

ansible-vault create --vault-id [email protected] prod-secrets.yml

The above code will create a prod vault and urged in your password at runtime (as famous via the @urged string). If you have already got a password dossier that you just wish to use, merely go within the trail to the dossier.

ansible-vault create --vault-id [email protected]/trail/prod-vault-password-file prod-secrets.yml

Let’s say we need to encrypt the similar my_secret variable, however this time retailer that during our prod vault. Simply as sooner than, the usage of encrypt_string however with the related vault-id lets in storing of the name of the game within the specified location.

ansible-vault encrypt_string --vault-id [email protected]/trail/prod-vault-password-file 'secret_data' --name 'my_secret'

You’ll understand that once the AES256 string, a brand new piece of textual content, prod is proven. This means the vault that the encrypted textual content is situated in.

my_secret: !vault | $ANSIBLE_VAULT;1.1;AES256;prod 37636561366636643464376336303466613062633537323632306566653533383833366462366662 6565353063303065303831323539656138653863353230620a653638643639333133306331336365 62373737623337616130386137373461306535383538373162316263386165376131623631323434 3866363862363335620a376466656164383032633338306162326639643635663936623939666238 3161

What if you wish to come with more than one vaults in one playbook? You’ll simply go in more than one vault-id declarations on an ansible-playbook command line.

ansible-playbook --vault-id [email protected]/trail/dev-vault-password-file --vault-id [email protected]/trail/prod-vault-password-file website.yml


In the end, it’s necessary to frequently cycle your passwords. For information which might be encrypted, you’ll be able to use the command line underneath. Passing within the new-vault-id parameter makes it simple to switch the password that the secrets and techniques are encrypted with.

ansible-vault rekey --vault-id [email protected]/trail/prod-vault-password-file-old --new-vault-id [email protected]/trail/prod-vault-password-file-new website.yml

As famous above, command line rekeying does no longer paintings for encrypted variables. On this case, it is important to personally re-encrypt the strings and substitute them in a given playbook.

Highest Practices

Safety is hard, particularly in the case of the usage of secrets and techniques inside of automation programs. With that during thoughts, underneath are a number of highest practices to make use of when using Ansible Vault. Despite the fact that we have now coated a few of these prior to now, it’s prudent to reiterate the ones practices.

  • ACL secure and unversioned password informationPassword information mustn’t be saved inside of model regulate programs, comparable to GIT. Moreover, be sure that best the fitting customers can get entry to the password dossier.
  • Separate vaultsGenerally, many various environments are in use. Due to this fact, it’s best to split the desired credentials into the fitting vaults.
  • Common dossier and variable password rekeyingOn the subject of password reuse or leaks, it’s best to frequently rekey the passwords in use to restrict publicity.


As with all automation gadget, it’s significantly necessary that secrets and techniques are correctly secure and regulated. With Ansible Vault, that procedure is made simple and versatile. The usage of the most productive practices defined above, storing and the usage of secrets and techniques inside of Ansible is secure and protected.


To increase Ansible Vault even additional and take this procedure to the following degree, you’ll be able to use scripts that combine into password control answers. As you’ll be able to see, Ansible Vault is a wonderful manner to make use of secretes inside of Ansible playbooks.