Handle sensitive data in Ansible

First we need a file, which contains the secrets. In my example the file is calles “secrets_demo.enc” and contains originally the following content:

sql_root_pw: Sup3rStr0ng
another_sql_pw: notThatSecure

This file needs to be encrypted by ansible vault:

ansible-vault encrypt secrets.enc
New Vault password:
Confirm New Vault password:
Encryption successful

Afterwrads, the file looks like the following:


In ansible playbooks the passwords can be used like “{{ sql_root_pw }}”. But for the playbook to know this variables it needs to be called like this:

ansible-playbook -e secrets.enc --ask-vault-pass execute-setup.yaml

As you can see with the option “–ask-vault-pass” you will be prompted to enter your vaults password every time you run the playbook.

The fault can be edited:

ansible-vault edit secrets_demo.enc
Vault password:

Or even decrypted:

ansible-vault decrypt secrets_demo.enc
Vault password:

Afterwards you need of course to encrypt it again.