As you can see from the previous section, many a times, the Ansible variable often provides sensitive information such as username and password. It would be a good idea to put some security measures around the variables so that we can safeguard against these information. The Ansible vault provides encryption for files rather than using plain text.

All Ansible Vault functions start with the ansible-vault command. You can manually create a encrypted file via the create option. You will be asked to enter a password. If you try to view the file, you will find that the file is not in clear text:

$ ansible-vault create secret.yml
Vault password:

$ cat secret.yml
$ANSIBLE_VAULT;1.1;AES256
336564626462373962326635326361323639323635353630646665656430353261383737623<skip>653537333837383863636530356464623032333432386139303335663262
3962

You can later on edit the file via the edit option or view the file via the view option:

$ ansible-vault edit secret.yml 
Vault password:

$ ansible-vault view secret.yml 
Vault password:

Let's encrypt the group_vars/all and host_vars/localhost variable files:

$ ansible-vault encrypt group_vars/all host_vars/localhost
Vault password:
Encryption successful

Now, when we run the playbook, we will get a decryption failed error message:

ERROR! Decryption failed on /home/echou/Master_Python_Networking/Chapter5/Vaults/group_vars/all

We will need to use the --ask-vault-pass option when we run the playbook:

$ ansible-playbook chapter5_10.yml --ask-vault-pass
Vault password:

The decrypt will happen in memory for any vault encrypted files that are accessed.

We can also save the password in a file and make sure that the specific file has restricted permission:

$ chmod 400 ~/.vault_password.txt
$ ls -lia ~/.vault_password.txt 
809496 -r-------- 1 echou echou 9 Feb 18 12:17 /home/echou/.vault_password.txt

We can then execute the playbook with the --vault-password-file option:

$ ansible-playbook chapter5_10.yml --vault-password-file ~/.vault_password.txt