In [5]:
cd ~/src/Classes/Ansible

/Users/rick446/src/Classes/Ansible


# The Ansible Vault

We often need to store sensitive data but would prefer not to store it in clear-text (database credentials, third-party API keys, etc.). Ansible's solution to this is the **Vault**

Any Ansible yaml file can be encrypted and then used in a playbook. We can create encrypted yaml files using ansible-vault, e.g.:

```
ansible-vault create vault.yml
```

We can also edit existing vault files (if we have the `EDITOR` environment variable configured:

```
export EDITOR='subl -w'    # or vi or whatever
ansible-vault edit stack-key.yml
```

We can also use the `--vault-password-file` option. Of course, you need to use restrictive permissions on this file and ensure it's never checked into source control. (The file is just a single line with the password, in plain text.)

In [8]:
%%bash
ansible-vault --vault-password-file vault-password.txt view vault.yaml

foo: bar
baz: bat
anything: |
  Can go here, but it's usually nice to have YAML so we
  can use this in an "include_vars" statement....


## Single string encryption

Sometimes you may just want to embed an encrypted value directly in your playbook. For that, we have

```ansible-vault encrypt_string```

In [10]:
%%bash
ansible-vault --vault-password-file vault-password.txt encrypt_string "this is super seekrit"

!vault |
          $ANSIBLE_VAULT;1.1;AES256
          31393366356333313566346465333839643761653065623062363230386662376262313663363539
          6635366137386261353731323065313832303933313036630a613231363333643363373762373937
          31623565316532323132346663343834306562386137313032313537613465336631656630616338
          6639306530666464610a313061343966646262393530323931636639353163396637306334616133
          36653830323234323330376531363537653965306137623033636136613534356363


In [12]:
%%bash
ansible-playbook --vault-password-file vault-password.txt playbooks/vault-demo2.yaml


PLAY [localhost] ***************************************************************

TASK [Show the encrypted value] ************************************************
ok: [localhost] => {
    "encrypted_value": "this is super seekrit"
}

PLAY RECAP *********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0   



# Encrypting an existing YAML file

We can also encrypt and decrypt existing YAML files using `ansible-vault encrypt` and `ansible-vault decrypt`:

In [13]:
%%bash
ansible-vault --vault-password-file vault-password.txt decrypt vault.yaml
cat vault.yaml

foo: bar
baz: bat
anything: |
  Can go here, but it's usually nice to have YAML so we
  can use this in an "include_vars" statement....

In [14]:
%%bash
ansible-vault --vault-password-file vault-password.txt encrypt vault.yaml
cat vault.yaml

$ANSIBLE_VAULT;1.1;AES256
30616165353363393535623863626534303063383661303864343164396631633263646365616165
3466343464353461613363343366383238393766316339320a383539393933343064653364386164
36313138646366333834376361613038646232646138643563356563383435663163363137316438
6433323666386132630a326534346262343636303935373964386563363734646435303432653865
38336166633461626662636130343136373237306461636565313466306461653464336161653536
61313465323263396434633063613535323962343566313437643664333162323061366535393166
33646535373662333533343863623261306530633235656238363237626366366666646638313138
65373934666330373563303533356432306333306461653635353437393236653638303434646639
35613034666562376236663833663435386633663632303066646663633563306337373064633231
62643438373066363366313935343635333563353436646530356464623437373461666531396431
333534626130666664633736383635626163


# Lab

Practice using the various `ansible-vault` commands:

- encrypt
- decrypt
- create
- edit
- view
- encrypt_string