How to Use Ansible Vault to Store Secret Keys

With most automation, credentials are wanted to authenticate and use safe assets. What has all the time been a problem is how greatest to retailer these credentials securely. Ansible is an automation system that gives software program provisioning, configuration administration, and software deployments.

As with any automation system, Ansible wants a safe manner to retailer secrets and techniques. In the case of Ansible, that system is named Ansible Vault. Ansible Vault offers a cross-platform resolution to securely storing credentials.

Table of Contents

Introducing Ansible Vault

Ansible Vault can be utilized to encrypt any file, or variables themselves, from inside a playbook. By default AES is used which is a shared-secret based mostly encryption. Both file and variable encryption strategies have their advantages and disadvantages.

File Encryption

To create a brand new encrypted file named secrets and techniques.yml, merely use the next ansible-vault command.

ansible-vault create secrets and techniques.yml

After prompting for a password, the ansible-vault command will launch the default system file editor, which is able to lead to an encrypted file upon saving.

Similarly, to encrypt a beforehand unencrypted file, use the next ansible-vault command. Note that this makes use of the encrypt parameter fairly than the create parameter.

ansible-vault encrypt secrets and techniques.yml

The draw back to utilizing file encryption is readability. If you open the file then one can find that with out decryption, it’s inconceivable to decipher the contents.

Variable Encryption

Within a playbook, it’s potential to use an encrypted variable by prefacing the encrypted knowledge with the !vault tag. Running the encrypt_string argument of the ansible_vault command will lead to an encrypted string that you should utilize inside your playbooks.

ansible-vault encrypt_string 'secret_data' --name 'my_secret'

After prompting you for a password, you’re going to get the next encrypted string.

my_secret: !vault |

Variable encryption is nice for readability, however the skill to use command line rekeying is sacrificed when utilizing this methodology.

Using Ansible Vault in Practice

You could understand that utilizing Ansible Vault in manufacturing is a problem. To successfully use Ansible Vault, the next methods make this course of simpler.

  • Unprompted Decryption
  • Multiple Vaults
  • Rekeying

Unprompted Decryption

One possibility to transparently decrypting a file or variable whereas utilizing Ansible is to retailer the password inside a protected and un-versioned password file. To reference this saved password, merely move within the file location utilizing the vault-password-file parameter.

ansible-playbook --vault-password-file /path/vault-password-file secrets and techniques.yml

This will decrypt any included encrypted information or variables utilizing the included password.

It is essential not to commit your plaintext password file into your model management system. Similarly, shield this file to solely the consumer or group that wants entry to the saved password on the file system utilizing entry management lists (ACL’s).

Multiple Vaults

Although it’s handy to have a single vault with all the encrypted secrets and techniques, a greater safety apply is to separate the safe credentials into separate related vaults. An instance of this may be separating a manufacturing and improvement setting. Thankfully, Ansible Vault permits us to create a number of vaults and references which vault the encrypted knowledge is coming from utilizing a label.

ansible-vault create --vault-id [email protected] prod-secrets.yml

The above code will create a prod vault and immediate on your password at runtime (as famous by the @immediate string). If you have already got a password file that you want to to use, merely move within the path to the file.

ansible-vault create --vault-id [email protected]/path/prod-vault-password-file prod-secrets.yml

Let’s say we would like to encrypt the identical my_secret variable, however this time retailer that in our prod vault. Just as earlier than, utilizing encrypt_string however with the related vault-id permits storing of the key within the specified location.

ansible-vault encrypt_string --vault-id [email protected]/path/prod-vault-password-file 'secret_data' --name 'my_secret'

You will discover that after the AES256 string, a brand new piece of textual content, prod is proven. This signifies the vault that the encrypted textual content is positioned in.

my_secret: !vault |

What in order for you to embody a number of vaults in a single playbook? You can simply move in a number of vault-id declarations on an ansible-playbook command line.

ansible-playbook --vault-id [email protected]/path/dev-vault-password-file --vault-id [email protected]/path/prod-vault-password-file web site.yml


Finally, it’s vital to often cycle your passwords. For information which might be encrypted, you should utilize the command line under. Passing within the new-vault-id parameter makes it simple to change the password that the secrets and techniques are encrypted with.

ansible-vault rekey --vault-id [email protected]/path/prod-vault-password-file-old --new-vault-id [email protected]/path/prod-vault-password-file-new web site.yml

As famous above, command line rekeying doesn’t work for encrypted variables. In this case, you’ll need to individually re-encrypt the strings and change them in a given playbook.

Best Practices

Security is tough, particularly when it comes to utilizing secrets and techniques inside automation methods. With that in thoughts, under are a number of greatest practices to use when using Ansible Vault. Though we have now lined a few of these beforehand, it’s prudent to reiterate these practices.

  • ACL protected and unversioned password informationPassword information mustn’t be saved inside model management methods, comparable to GIT. Additionally, make it possible for solely the suitable customers can entry the password file.
  • Separate vaultsNormally, many alternative environments are in use. Therefore, it’s best to separate the required credentials into the suitable vaults.
  • Regular file and variable password rekeyingIn the case of password reuse or leaks, it’s best to often rekey the passwords in use to restrict publicity.


As with any automation system, it’s critically vital that secrets and techniques are correctly protected and managed. With Ansible Vault, that course of is made simple and versatile. Using one of the best practices outlined above, storing and utilizing secrets and techniques inside Ansible is secure and safe.

To prolong Ansible Vault even additional and take this course of to the following degree, you should utilize scripts that combine into password administration options. As you may see, Ansible Vault is a superb manner to use secretes inside Ansible playbooks.

Source link

This Web site is affiliated with Amazon associates, Clickbank, JVZoo, Sovrn //Commerce, Warrior Plus etc.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *