Handle sensitive data in Ansible

First we need a file, which contains the secrets. In my example the file is calles “secrets_demo.enc” and contains originally the following content:

sql_root_pw: Sup3rStr0ng
another_sql_pw: notThatSecure

This file needs to be encrypted by ansible vault:

ansible-vault encrypt secrets.enc
New Vault password:
Confirm New Vault password:
Encryption successful

Afterwrads, the file looks like the following:

$ANSIBLE_VAULT;1.1;AES256
 33356535376533383633396561346461623262633966343334343133333738373534333066633964
 6364633939363163366235353662306665323461313365340a303834373564656464343332373137
 62633963323765343339643466366438376138663932623536663838326634323138633165343539
 3435313930323831320a633633333534653634366464616635393864653066626337613234316237
 32653461356565316161303234326562643966653236356338653364616364366235666434323537
 36666636343534633530336235663335653438623961616238383334633036623735393266633865
 623036353162613532336130316330343030

In ansible playbooks the passwords can be used like “{{ sql_root_pw }}”. But for the playbook to know this variables it needs to be called like this:

ansible-playbook -e secrets.enc --ask-vault-pass execute-setup.yaml

As you can see with the option “–ask-vault-pass” you will be prompted to enter your vaults password every time you run the playbook.

The fault can be edited:

ansible-vault edit secrets_demo.enc
Vault password:

Or even decrypted:

ansible-vault decrypt secrets_demo.enc
Vault password:

Afterwards you need of course to encrypt it again.