$nano~/.bashrc# add the following to the end of .bashrc file then save it.export EDITOR=nano# source the modified .bashrc file as below$.~/.bashrc# verify the new environmental variable$echo $EDITOR
Creating new encrypted files
# ansible-vault command to create new vault.yml file$ansible-vaultcreatevault.yml# Output as below# Input the new vault password to encrypt itNewVaultpassword:ConfirmNewVaultpassword:# New vault.yml file will be open in nano# Input some text encrypted# Then check the contect of vault.yml as below$catvault.yml# Output$ANSIBLE_VAULT;1.1;AES256653163323935323130306361346432353164393361333635313038383762353766353734303363333963353630373161356638376361646338353763363434360a363138376163666265336433633664303362333236643064346263636437316265366438333366383566613963643136663662316162613764656365313263620a38366638323362666537636432306239346237326666306636653630616331643731343666353761633563633634326139396230313734333034653238303166
Encrypting the existing file
# Create a dummy text file$echo'unencrypted stuff'>encrypt_me.txt# Encrypt the text file with the ansible vault command as below$ansible-vaultencryptencrypt_me.txt# OutputNewVaultpassword:ConfirmNewVaultpassword:Encryptionsuccessful# Verify the encrypted file$catencrypt_me.txt# Output$ANSIBLE_VAULT;1.1;AES256666339366538346161303464363538653036653964303834303533666162633231613936393931363737316539353434666438373035653132383434303338640a396635313062386464306132313834343133363133386235373333323562313864386665656165376165386534653334313066386439613636663633363562320a61366131396637636139633638386465663237613435303966366266643739393639343966363565636161316339643033393132626639303332373339376664
Viewing encrypted files
# Use the following command to view the encrypted file$ansible-vaultviewvault.yml# OutputVaultpassword:Secretinformation
Editing encrypted files
# Use the following command to edit the encrypted file$ansible-vaulteditvault.yml# OutputVaultpassword:# It will open vault.yml file in nano
Manually decrypting encrypted files
# Use the command below to decrypt encrypted file$ansible-vaultdecryptvault.yml# OutputVaultpassword:Decryptionsuccessful# It will decrypt the vault.yml file into plain text now
Note: Because of the increased likelihood of accidentally committing sensitive data to your project repository, the ansible-vault decrypt command is only suggested for when you wish to remove encryption from a file permanently. If you need to view or edit a vault encrypted file, it is usually better to use the ansible-vault view or ansible-vault edit commands, respectively.
# Use --ask-vault-pass option to get interactive prompt for vault password$ ansible --ask-vault-pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost
# Use --vault-password-file=.vault_pass for hidden password file# Ensure that .vault_pass file is added to .gitignore$ ansible --vault-password-file=.vault_pass -bK -m copy -a 'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root' localhost
Reading the Password File Automatically
# Method 1# Add the variable ANSIBLE_VAULT_PASSWORD_FILE to .bashrc export ANSIBLE_VAULT_PASSWORD_FILE=./.vault_pass# Run ansible again without --vault-password-file$ansible-bK-mcopy-a'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root'localhost# Method 2# Add vault_password_file to ansible.cfg[defaults]...vault_password_file=./.vault_pass# Run ansible again without --vault-password-file$ansible-bK-mcopy-a'src=secret_key dest=/tmp/secret_key mode=0600 owner=root group=root'localhost
Now, when you run commands that require decryption, you will no longer be prompted for the vault password. As a bonus, ansible-vault will not only use the password in the file to decrypt any files, but it will apply the password when creating new files with ansible-vault create and ansible-vault encrypt.
