ansible-vault

encryption/decryption utility for Ansible data files

Synopsis

ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]

Description

can encrypt any structured data file used by Ansible. This can include group_vars/ or host_vars/ inventory variables, variables loaded by include_vars or vars_files, or variable files passed on the ansible-playbook command line with -e @file.yml or -e @file.json. Role variables and defaults are also included!

Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault. If you’d like to not expose what variables you are using, you can keep an individual task file entirely encrypted.

Common Options

--ask-vault-pass

ask for vault password

--encrypt-vault-id <ENCRYPT_VAULT_ID>

the vault id used to encrypt (required if more than vault-id is provided)

--new-vault-id <NEW_VAULT_ID>

the new vault identity to use for rekey

--new-vault-password-file

new vault password file for rekey

--vault-id

the vault identity to use

--vault-password-file

vault password file

--version

show program’s version number, config file location, configured module search path, module location, executable location and exit

-h, --help

show this help message and exit

-v, --verbose

verbose mode (-vvv for more, -vvvv to enable connection debugging)

Actions

encrypt

encrypt the supplied file using the provided vault secret

--encrypt-vault-id <ENCRYPT_VAULT_ID>

the vault id used to encrypt (required if more than vault-id is provided)

--output

output file name for encrypt or decrypt; use - for stdout

decrypt

decrypt the supplied file using the provided vault secret

--output

output file name for encrypt or decrypt; use - for stdout

encrypt_string

encrypt the supplied string using the provided vault secret

--encrypt-vault-id <ENCRYPT_VAULT_ID>

the vault id used to encrypt (required if more than vault-id is provided)

--output

output file name for encrypt or decrypt; use - for stdout

--stdin-name <ENCRYPT_STRING_STDIN_NAME>

Specify the variable name for stdin

-n, --name

Specify the variable name

-p, --prompt

Prompt for the string to encrypt

view

open, decrypt and view an existing vaulted file using a pager using the supplied vault secret

rekey

re-encrypt a vaulted file with a new secret, the previous secret is required

--encrypt-vault-id <ENCRYPT_VAULT_ID>

the vault id used to encrypt (required if more than vault-id is provided)

create

create and open a file in an editor that will be encrypted with the provided vault secret when closed

--encrypt-vault-id <ENCRYPT_VAULT_ID>

the vault id used to encrypt (required if more than vault-id is provided)

edit

open and decrypt an existing vaulted file in an editor, that will be encrypted again when closed

--encrypt-vault-id <ENCRYPT_VAULT_ID>

the vault id used to encrypt (required if more than vault-id is provided)

Environment

The following environment variables may be specified.

ANSIBLE_CONFIG – Override the default ansible config file

Many more are available for most options in ansible.cfg

Files

/etc/ansible/ansible.cfg – Config file, used if present

~/.ansible.cfg – User config file, overrides the default config if present

Author

Ansible was originally written by Michael DeHaan.

See the AUTHORS file for a complete list of contributors.

License

Ansible is released under the terms of the GPLv3+ License.

See also

ansible(1), ansible-config(1), ansible-console(1), ansible-doc(1), ansible-galaxy(1), ansible-inventory(1), ansible-playbook(1), ansible-pull(1), ansible-vault(1),