In [5]:
cd ~/src/Classes/Ansible

/Users/rick446/src/Classes/Ansible


# The Ansible Vault

We often need to store sensitive data but would prefer not to store it in clear-text (database credentials, third-party API keys, etc.). Ansible's solution to this is the **Vault**

Any Ansible yaml file can be encrypted and then used in a playbook. We can create encrypted yaml files using ansible-vault, e.g.:

```
ansible-vault create vault.yml
```

We can also edit existing vault files (if we have the `EDITOR` environment variable configured:

```
export EDITOR='subl -w'    # or vi or whatever
ansible-vault edit stack-key.yml
```

We can also use the `--vault-password-file` option. Of course, you need to use restrictive permissions on this file and ensure it's never checked into source control. (The file is just a single line with the password, in plain text.)

In [8]:
%%bash
ansible-vault --vault-password-file vault-password.txt view vault.yaml

foo: bar
baz: bat
anything: |
  Can go here, but it's usually nice to have YAML so we
  can use this in an "include_vars" statement....


## Single string encryption

Sometimes you may just want to embed an encrypted value directly in your playbook. For that, we have

```ansible-vault encrypt_string```

In [10]:
%%bash
ansible-vault --vault-password-file vault-password.txt encrypt_string "this is super seekrit"

!vault |
          $ANSIBLE_VAULT;1.1;AES256
          31393366356333313566346465333839643761653065623062363230386662376262313663363539
          6635366137386261353731323065313832303933313036630a613231363333643363373762373937
          31623565316532323132346663343834306562386137313032313537613465336631656630616338
          6639306530666464610a313061343966646262393530323931636639353163396637306334616133
          36653830323234323330376531363537653965306137623033636136613534356363


In [12]:
%%bash
ansible-playbook --vault-password-file vault-password.txt playbooks/vault-demo2.yaml


PLAY [localhost] ***************************************************************

TASK [Show the encrypted value] ************************************************
ok: [localhost] => {
    "encrypted_value": "this is super seekrit"
}

PLAY RECAP *********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0   



# Encrypting an existing YAML file

We can also encrypt and decrypt existing YAML files using `ansible-vault encrypt` and `ansible-vault decrypt`:

In [15]:
%%bash
ansible-vault --vault-password-file vault-password.txt decrypt vault.yaml
cat vault.yaml

foo: bar
baz: bat
anything: |
  Can go here, but it's usually nice to have YAML so we
  can use this in an "include_vars" statement....

In [16]:
%%bash
ansible-vault --vault-password-file vault-password.txt encrypt vault.yaml
cat vault.yaml

$ANSIBLE_VAULT;1.1;AES256
32383936333163633136343638393430666237393036376333373862303934326134313666313036
6134393065396232333134303139643166313235383032660a323534633935353532633133643630
63333935363566626235306233303731353033666134626535303364643338613565393131336639
6235313939633337310a653739303635323739623634323365653031303438373230333466656236
61303638313039363735306163616132663339653936303530386666373966363532633839663630
61343831623431323161396336383038313063353336393332353435303032303437623465616165
35346233396464613236303465303133653163613331626564363534623337643335323261333566
63666434383262333961323462656235396633396463363131633830313534313734353434626536
64646163383237336565623561616531386131656131653636343366633932323562643634626636
36323866616566653331353339303733393238353532656330313666303236303033363062343165
313563643938393665666135656234346231


# Lab

Practice using the various `ansible-vault` commands:

- encrypt
- decrypt
- create
- edit
- view
- encrypt_string