As with any automation system, Ansible needs a secure way to store secrets.

In the case of Ansible, that system is calledAnsible Vault.

Ansible Vault provides a cross-platform solution to securely storing credentials.

The main page of the Homepage homelab dashboard with services running on it.

By default AES is used which is a shared-secret based encryption.

Both file and variable encryption methods have their benefits and drawbacks.

File Encryption

To create a new encrypted file named

, simply use the followingansible-vaultcommand.

Terminal window showing the manual page for the Mutt email client on Linux

Similarly, to encrypt a previously unencrypted file, use the followingansible-vaultcommand.

Note that this uses theencryptparameter rather than thecreateparameter.

The downside to using file encryption is readability.

Article image

After prompting you for a password, you will get the following encrypted string.

Using Ansible Vault in Practice

You may realize that using Ansible Vault in production is a challenge.

To effectively use Ansible Vault, the following techniques make this process easier.

To reference this stored password, simply pass in the file location using thevault-password-fileparameter.

This will decrypt any included encrypted files or variables using the included password.

It is very important not to commit your plaintext password file into your version control system.

An example of this would be separating a production and development environment.

Let’s say we want to encrypt the samemy_secretvariable, but this time store that in ourprodvault.

Just as before, usingencrypt_stringbut with the relevantvault-idallows storing of the secret in the specified location.

You will notice that after theAES256string, a new piece of text,prodis shown.

This indicates the vault that the encrypted text is located in.

What if you want to include multiple vaults in a single playbook?

you could easily pass in multiplevault-iddeclarations on anansible-playbookcommand line.

Rekeying

Finally, it’s important to regularly cycle your passwords.

For files that are encrypted, you could use the command line below.

Passing in thenew-vault-idparameter makes it easy to change the password that the secrets are encrypted with.

As noted above, command line rekeying does not work for encrypted variables.

In this case, you will need to individually re-encrypt the strings and replace them in a given playbook.

Best Practices

Security is difficult, especially when it comes to using secrets within automation systems.

With that in mind, below are several best practices to use when utilizing Ansible Vault.

Though we have covered some of these previously, it is prudent to reiterate those practices.

With Ansible Vault, that process is made easy and flexible.

Using the best practices outlined above, storing and using secrets within Ansible is safe and secure.