Manage secrets/passwords with Ansible Vault (ansible-vault encrypt_string) – Part 2

  • 4
    Shares

In our previous article we discussed the procedure/steps to manage secrets(passwords/keys/certs files) by using ansible vault. In this article, we will discuss the next step i.e. to create encrypted variables/strings to embed in yaml by using ansible-vault encrypt_string command.
The ansible-vault encrypt_string command will encrypt and format a provided string into a format that can be included in ansible-playbook YAML files.

Examples & Usage

1. To encrypt a string provided as a cli (command line) argument: Create password file (e.g. password_file) and used it as a vault id like as below

[ansible@localhost ~]$ ansible-vault encrypt_string --vault-id password_file 'string_vaule' --name 'string_name'
Result:
string_name: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          33303536636266336335636139343634396237383437316537663936366338626534303439656538
          3831356662313738373336396431303030636432636436610a633230613436366530353564653161
          62356538323830656233666431343238333361363335343630343964343739666332313036366436
          6231323765663637620a643430353833393064353366363036613536666366333532373932366264
          6432

Use above string variable and value into your playbooks

2. To encrypt a string by using vault-id label:

[ansible@localhost ~]$ ansible-vault encrypt_string --vault-id user@password_file 'string_value' --name 'string_name'
string_name: !vault |
          $ANSIBLE_VAULT;1.2;AES256;user
          62616634356335366433326435643865636238656530666334343962643934333637656231346165
          6439333438623465653937653963353165333365663731640a313166383731613938323338643165
          33306238623832333636373961666533323562313033633364633334353730376461653832333836
          6238393733393630610a313637653765343762313338616630323563636438363832666462643539
          3634

3. To encrypt a string read from stdin and name it ‘string_name’:

[ansible@localhost ~]$ ansible-vault encrypt_string --vault-id user@password_file --stdin-name 'string_name'
Reading plaintext input from stdin. (ctrl-d to end input)
string_value
string_name: !vault |
          $ANSIBLE_VAULT;1.2;AES256;user
          64386436626265626162323238333132323838616366393032616334623361316633393037303663
          3837343539366563346638366539333163393063303832660a633563333337666165396633623366
          37343038623266393638313331343530383630666632666262663930313635343863346336363630
          3064623239616335320a396565633663306565616562396133336164386133623834633430333236
          3962

That’s it. This is how you can encrypt strings with ansible-vault. If you have any query related to ansible-vault, feel free to ask in comments section.

Also for more information please visit Ansible official documents, click here…

Avinash Pawar

DevOps Practitioner interested in learning new technologies and interested in sharing the knowledge with others.

More Posts - Website

Follow Me:
TwitterFacebookLinkedInGoogle Plus

Avinash Pawar

DevOps Practitioner interested in learning new technologies and interested in sharing the knowledge with others.

Leave a Reply