Scribd
Upload
107 views8 pages

Ansible VaULt

1. Ansible Vault allows encryption of sensitive data in Ansible projects using symmetric AES256 encryption. 2. Vault encrypts entire files and uses the same password to encrypt and decrypt. Ansible can identify and decrypt vault-encrypted files during playbook runs. 3. The ansible-vault command manages encryption. It can create, encrypt, view, edit, decrypt, and rekey encrypted files. Running a playbook with --ask-vault-pass will prompt for the vault password at runtime.

Uploaded by

P VeNKaTeSH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
107 views8 pages

Ansible VaULt

1. Ansible Vault allows encryption of sensitive data in Ansible projects using symmetric AES256 encryption. 2. Vault encrypts entire files and uses the same password to encrypt and decrypt. Ansible can identify and decrypt vault-encrypted files during playbook runs. 3. The ansible-vault command manages encryption. It can create, encrypt, view, edit, decrypt, and rekey encrypted files. Running a playbook with --ask-vault-pass will prompt for the vault password at runtime.

Uploaded by

P VeNKaTeSH
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Madhu Sudhan Reddy Y.

B JMSTechHome +91-8884807341

Ansible Vault is a feature that allows users to encrypt values and data structures within Ansible
projects. This provides the ability to secure any sensitive data that is necessary to successfully
run Ansible plays but should not be publicly visible, like passwords or private keys. Ansible
automatically decrypts vault-encrypted content at runtime when the key is provided.

Vault is implemented with file-level granularity, meaning that files are either entirely encrypted
or unencrypted. It uses the AES256 algorithm to provide symmetric encryption keyed to a user-
supplied password. This means that the same password is used to encrypt and decrypt content,
which is helpful from a usability standpoint. Ansible is able to identify and decrypt any vault-
encrypted files it finds while executing a playbook or task.

Manage Sensitive Files with ansible-vault


The ansible-vault command is the main interface for managing encrypted content within
Ansible. This command is used to initially encrypt files and is subsequently used to view, edit, or
decrypt the data.

Creating New Encrypted Files

To create a new file encrypted with Vault, use the ansible-vault create command. Pass in the
name of the file you wish to create. For example, to create an encrypted YAML file called
vault.yml to store sensitive variables.

$ ansible-vault create vault.yml

Enter the password and it will ask confirm password after it will open editor write some
sensitive data in the file..By default vi/vim editor. Once you write data and save the file ansible
will encrypt the contents when you close the file. If you check the file, instead of seeing the
words you typed, you will see an encrypted block:

$ cat vault.yml
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341

We can see some header information that Ansible uses to know how to handle the file,
followed by the encrypted contents, which display as numbers.

Encrypting Existing Files

If you already have a file that you wish to encrypt with Vault, use the ansible-vault encrypt
command instead.

If you don’t have a file create a new file like below.

$ echo 'this some data ' > newfile.txt

Now, you can encrypt the existing file by typing:

$ ansible-vault encrypt newfile.txt

Again, you will be prompted to provide and confirm a password. Afterwards, a message will
confirm the encryption:

Instead of opening an editing window, ansible-vault will encrypt the contents of the file and
write it back to disk, replacing the unencrypted version.

If we check the file, we should see a similar encrypted pattern:

$ cat newfile.txt
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341

Viewing Encrypted Files

Sometimes, you may need to reference the contents of a vault-encrypted file without needing
to edit it or write it to the filesystem unencrypted. The ansible-vault view command feeds the
contents of a file to standard out. By default, this means that the contents are displayed in the
terminal.

Pass the vault encrypted file to the command:

$ ansible-vault view vault.yml

It will be asked for the file's password. After entering it successfully, the contents will be
displayed:

As you can see, the password prompt is mixed into the output of file contents. Keep this in
mind when using ansible-vault view in automated processes.

Editing Encrypted Files

When you need to edit an encrypted file, use the ansible-vault edit command:

$ ansible-vault edit vault.yml

You will be prompted for the file's password. After entering it, Ansible will open the file an
editing window, where you can make any necessary changes.

Upon saving, the new contents will be encrypted using the file's encryption password again and
written to disk.

Manually Decrypting Encrypted Files

To decrypt a vault encrypted file, use the ansible-vault decrypt command.

Note: the ansible-vault decrypt command is only suggested for when you wish to remove
encryption from a file permanently. If you need to view or edit a vault encrypted file, it is
usually better to use the ansible-vault view or ansible-vault edit commands, respectively.
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341

Pass in the name of the encrypted file:

$ ansible-vault decrypt vault.yml

You will be prompted for the encryption password for the file. Once you enter the correct
password, the file will be decrypted:

Changing the Password of Encrypted Files

If you need to change the password of an encrypted file, use the ansible-vault rekey command:

$ ansible-vault rekey newfile.txt

Using an Interactive Prompt

The most straightforward way of decrypting content at runtime is to have Ansible prompt you
for the appropriate credentials. You can do this by adding the --ask-vault-pass to any ansible or
ansible-playbook command. Ansible will prompt you for a password which it will use to try to
decrypt any vault-protected content it finds.

1. First create role under roles folder. For ex

[root@ip-172-31-18-141 ansible]# cd roles/

[root@ip-172-31-18-141 roles]# ansible-galaxy init mail

2. After creating role our folder should like below.


Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341

3. Create a sensitive data under var section its should be key value pairs like name: madhu

Remember after : should be one space

4. Now we are going to encrypt the data using ansible-vault encrypt. It will ask password
and confirm password. we should be remember this password.
[root@ip-172-31-18-141 vars]# ansible-vault encrypt main.yml

5. Create a playbook based on requirement. And read the key from sensitive data like {{
usename }} .

$ cat roles/mail/vars/main.yml

---

# vars file for mail

username: madhu

Now after written sensitive data you can encrypt using ansible-vault encrypt command.
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341

$[root@ip-172-31-18-141 vars]# cat ../tasks/main.yml

---

# tasks file for mail

- name: get the username

debug:

msg: "myname is {{ username }} "

6. Now write the playbook.

[root@ip-172-31-18-141 ansible]# cat vault_example.yml

---

- hosts: nodes

become: yes

gather_facts: False

roles:

- mail

7. You can run the playbook with --ask-vault-pass or --vault-id @prompt

$ ansible-playbook vault_example.yml --vault-id @prompt --private-key=tomcat.pem

Here it will ask your vault password you need to enter your password.
Then check output.
Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341

Creating password using api

[root@ip-172-31-18-141 ansible]# openssl passwd -1 -salt test

Password:

Playbook for sending mail after checking version

[root@ip-172-31-18-141 ansible]# cat os_version_check.yml

---

- name: Print linux distribution and version

become: root

hosts: nodes

tasks:

- name: capture output of id command

command: cat /etc/os-release

register: login

- debug:

msg: "{{ login.stdout }}"


Madhu Sudhan Reddy Y.B JMSTechHome +91-8884807341

- debug:

msg: version comaparision "{{ ansible_distribution_version is version('7.0','>=') }}"

- name: Sending an e-mail using Gmail SMTP servers

mail:

host: smtp.gmail.com

port: 587

secure: starttls

charset: utf-8

sender: ballalallallal

username: ballalallallal

password: ballalallallal

to: ballalallallal

subject: Ansible-report

body: veresion comparision "{{ ansible_distribution_version is version('7', '>=') }}"

You might also like