Encrypting content with Ansible Vault

All the inventory files we have seen till now with server details like its IP, root passwords,etc. were in plain text. Anyone having access to the Ansible directory, can steal these details and it can be a security threat while using it in the organizations. 

Ansible Vault is a feature that allows users to encrypt sensitive content such as username, passwords, port or private keys rather than leaving it visible as plaintext in playbooks. To use Ansible Vault you need one or more passwords to encrypt and decrypt content. Ansible automatically decrypts vault-encrypted content at runtime when the key is provided.

Encrypting a file

Let’s consider this inventory file with no encryption:


To encrypt it using Ansible Vault, run the below command:

$ansible-vault encrypt inventory.txt --output enc_inven.txt

This command will prompt to set a security password:


After successful execution of the command, the encrypted file will be created:


The encrypted file content looks like this:


Viewing encrypted file

You can view the original value of an encrypted variable using ansible-vault view. You will be asked for the file’s password. After entering it successfully, the contents will be displayed:

ansible-vault view enc_inven.txt


Running Ansible with Vault-Encrypted Files

After you’ve encrypted your sensitive data with Vault, you can begin using the files with Ansible’s conventional tooling. The ansible and ansible-playbook commands will decrypt vault-protected files when the correct password is provided.

We will use below playbook: