# Ansible Vault

Use `ansible-vault` to manage become password

## 1. Manage vault file

### 1.1. Input password manually

#### 1.1.1. Create encrypt file

This command will do 3 things
- Create encrypt file
- Ask to input password to protect this encrypted file
- Open editor to edit the secret content

In [None]:
ansible-vault create password.yml

#### 1.1.2. Edit encrypt file

This command will do 2 things
- Ask to input password to protect this encrypted file
- Open editor to input encrypt content

In [None]:
ansible-vault edit password.yml

#### 1.1.3. Reset password of encrypt file

This command will do 1 thing
- Ask to input new password to protect this encrypted file

In [None]:
ansible-vault rekey password.yml

#### 1.1.4. Encrypt exist file

This command will do 2 things
- Ask to input password to protect this encrypted file
- Encrypt this file

In [None]:
ansible-vault encrypt password.yml

#### 1.1.5. Decrypt the encrypted file

This command will do 2 things
- Ask to input password to protect this encrypted file
- Decrypt this file

In [None]:
ansible-vault decrypt password.yml

#### 1.1.6. View the encrypted file

This command will do 2 things
- Ask to input password to protect this encrypted file
- Show the content of this encrypted file

In [None]:
ansible-vault view password.yml

#### 1.1.7. Encrypt string

This command will do 2 things
- Ask to input password to protect this encrypted file
- Show the encrypted content of source string 

In [None]:
ansible-vault encrypt_string "Hello"

### 1.2. Use password in file

- `--vault-id`: a text file that content is a password to protect encrypted file

#### 1.2.1. Create encrypted file

In [None]:
ansible-vault create --vault-id=vault-id password.yml

#### 1.2.2. Edit encrypted file

In [None]:
ansible-vault edit --vault-id=vault-id password.yml

#### 1.2.3. Encrypt exist file

In [None]:
ansible-vault encrypt --vault-id=vault-id password.yml

#### 1.2.4. Decrypt the encrypted file

In [None]:
ansible-vault decrypt --vault-id=vault-id password.yml

#### 1.2.5. View the encrypted file

In [None]:
ansible-vault view --vault-id=vault-id password.yml

#### 1.2.6. Encrypt string

In [None]:
ansible-vault encrypt_string --vault-id vault-id "Hello"

### 1.3. More about `--vault-id` argument

#### 1.3.1. Ask password manually

- `--vault-id prompt`: ask to input password

In [None]:
ansible-vault view --vault-id prompt password.yml

#### 1.3.2. Add label to encrypted content

In [None]:
ansible-vault encrypt_string --vault-id alvin@vault-id "Hello"

## 2. Use encrypted file

### 2.1. As become password

- Create `yml` file to save become password (sudo password), the content is:
    ```yml
    sudo_pass: "kkmouse"
    ```
    
-  Encrypt the password file
    ```bash
    $ ansible-vault encrypt -vault-id=vault-id password.yml
    ```
    
- Or create password file directly
    ```bash
    $ ansible-vault create --vault-id=vault-id password.yml
    ```
    
- In `hosts/inventory` file, set remote server vars:
    ```ini
    [vm_vault:vars]
    ansible_become=yes
    ansible_become_method=sudo 
    ansible_become_pass='{{ sudo_pass }}'
    ```

#### 2.1.1. Input encrpyted file password manually

In [None]:
ansible vm_vault -b --ask-vault-pass --extra-vars "@password.yml" -a "ifconfig"

#### 2.1.2. Use vault-id

In [None]:
ansible vm_vault -b --vault-id=vault-id --extra-vars "@password.yml" -a "ifconfig"