How to Use Ansible Vault to Encrypt Sensitive Data

There are many situations where you would want to use sensitive information in Ansible. For instance, you may want to set user’s password, transfer certificates or keys, etc.

In this tutorial, you will learn to:

Use Ansible Vault to protect and deal with sensitive information.
Create, view, and edit vault encrypted files.
Decrypt vault encrypted files and to change the password of a vault encrypted file.

Furthermore, you will learn how to use encrypted variables and files in your playbooks.

This is the 8th chapter of the RHCE Ansible tutorial series. The series teaches you Ansible with hands-on examples so that you learn by doing it. If this is your first time here, you should refer to other chapters in this series.

Creating encrypted files

To create a new encrypted file; you can use the ansible-vault create command. To demonstrate, let’s create a new encrypted file named secret.txt:

[elliot@control plays]$ ansible-vault create secret.txt
New Vault password: 
Confirm New Vault password:

It will first prompt you for a vault password that you can use whenever you want to open the file later afterwards. After you enter the password, it will open the file with your default file editor and so you can go ahead and insert the following line: