Keeping secrets with Ansible Vault

In the last few posts, I’ve talked about using Ansible for configuring servers and local environments, during both of which, you’re likely to have some sensitive or secret values. These could be database credentials within your application and on your server, and your SSH private keys within your local environment.

Rather than committing these to a code repository in plain text, Ansible includes the ansible-vault command to encrypt values.

To see this working, run ansible-vault encrypt_string my-secret-password, enter a password, and then you should see something like this:

!vault |

This is the encrypted version of that password, and this could be committed and pushed to a code repository.

You can use it within a playbook, and you’ll be prompted to re-enter the password so that Ansible can decrypt and use it.

Rather than a single string, you could have a file of variables that you want to encrypt. You can do this by running ansible-vault encrypt vault.yml and include it as before. Again, you’ll be prompted by Ansible so that it can decrypt and use the values.

For an example of how I’m using Ansible Vault, see the Dransible repository on GitHub or my Deploying PHP applications with Ansible, Ansible Vault and Ansistrano talk.

Want to learn more about how I use Ansible? Register for my upcoming free email course.