How To: Encrypt Files with Ansible Vault

Ansible

Ansible Vault

Ansible Vault is a technology that allows you to encrypt values of variables or even encrypt whole files to minimise security risks associated with storing such information in your Ansible playbooks, vars files or roles.

You usually employ the ansible-vault command and supply a passphrase to encrypt and decrypt information.

Ansible Vault is a fascinating and fully implemented concept, so you can have multiple storage areas (vault-ids) and provide separate passphrases for encrypting different types of information.

Why You Should Encrypt Files

If leaking a particular file could lead to considerable security threat or loss of service - please consider whether you should be storing such information in cleartext at all. Taking this step further, in case of Ansible and Git repos storing Ansible code, quite often you’re uploading code to centralised cloud storage. So the risk of compromising data is even greater - meaning you should either avoid uploading such files or take steps to encrypt them.

What Files You Should Encrypt

Here’s just a few of the file types that I encrypt with Ansible Vault before uploading them into private GitHub repository:

• private keys for webservers (they’re needed for validation on each web server that uses an SSL cert)
• passwords (like DB password or any other password) - many software products expect passwords to be stored in cleartext format on the server that’s running the software. But this doesn’t mean the same credentials should stay unencrypted “at rest” in my Ansible repository - be it my deployment laptop or git repository
• unique identifiers that would expose too much of my infrastructure or highlight a proprietary software name
• pre-shared VPN keys - most VPNs of mine are peer-to-peer, so even with the leaked pre-shared key it would be hard to break in - but I certainly feel much better if I encrypt such keys or even hashes

Encrypting Files with Ansible Vault

Let’s assume I want to encrypt an htpasswd file for one of my servers.

greys@server $ cat htpasswd
testuser:This.IS.A.TEST!

Let’s encrypt it. We run the ansible-vault command, specify action - encrypt and supply the file to be encrypted - htpasswd. The command asks for a password that will later be needed to decrypt the file.

IMPORTANT: there is no way to get the original file contents if you encrypt it and forget the password. Please make a backup of the unencrypted file before doing this. Please also save the password into your password management tool (I use 1Password) before proceeding.

greys@server $ ansible-vault encrypt htpasswd
New Vault password:
Confirm New Vault password:
Encryption successful

Excellent! We should have an encrypted file instead of the original one now:

greys@server $ cat htpasswd
$ANSIBLE_VAULT;1.1;AES256
65336237326537336432653032356565666535373065623433373731346265386261393463343336
3639643533373161653339336237373730633065383434360a343066653764373939303630333464
31373235393330666531616330353030323737623834313534623261643762313864363566656435
6231313339363931330a396363353336373736623935636239616239323330363730653062366539
37386538663934363961333934313966636234373136633937396330336265653866

Using Encrypted Data with Ansible

This is really a topic of a separate post. I promise I’ll write one up really soon.

But if you must get an answer now - please explore the official Ansible Vault docs and also supply the --ask-vault-pass option when running your Ansible playbooks.

That’s it for now! Will try and make time to learn and write more about Ansible Vault soon.

See Also

• Official Ansible Vault documentation
• Ansible Reference
• ansible-vault command
• Password protect an nginx website
• Docker module in Ansible
• Create backups when deploying with Ansible
• Ansible: Could Not Match Supplied Host Pattern error