DEV Community

Cover image for Protecting Sensitive Data using Ansible Vault
Goodnews Azonubi
Goodnews Azonubi

Posted on • Edited on

Protecting Sensitive Data using Ansible Vault

Introduction:

In this tutorial we will explore Ansible Vault which is a feature of ansible that comes pre-installed. We will discuss what Ansible Vault is, and how it can be used for effective management of information such as passwords, API keys, files and other sensitive data.

Prerequisites:

You need to have Ansible installed to be able to follow along with this tutorial. If you don’t have Ansible installed yet follow this tutorial on how to install Ansible on Ubuntu 20.04.

Proceed with this guide once your server has been configured with the above requirements.

Table of Contents

  • What is Ansible
  • What is Ansible Vault
  • How to use Ansible Vault
  • Best Practices for Using Ansible Vault
  • Conclusion

What is Ansible

Ansible is an open-source automation tool that simplifies IT tasks such as configuration management, application deployment, and orchestration by allowing users to automate repetitive tasks using simple, declarative YAML-based scripts called playbooks.

What is Ansible Vault

Ansible Vault is a feature of ansible which provides a secure way for managing sensitive information such as API keys, password or even private data within your playbook or file. Ansible Vault uses the AES256 algorithm which is a symmetric form of encryption that uses a single key (or password ) for encrypting and decrypting data unlike the asymmetric that uses a private and public key pair.

Ansible Vault has several arguments used to manipulate files such as create, edit, view, encrypt, decrypt, rekey, encrypt_string, decrypt_string

How to use Ansible Vault

The ansible-vault command acts as the primary interface for managing encrypted content within Ansible. It facilitates the encryption of files initially and subsequently enables operations such as viewing, editing or decrypting the encrypted data.

How to create a new encrypted file

Use the ansible-vault create command, followed by the name of the file to create a new encrypted file. This command will prompt you to enter and confirm the password for the newly created file.

ansible-vault create secret.yml

Enter fullscreen mode Exit fullscreen mode

Image description

Image description

Your new file will open in your default text editor where you can type your secret texts and save.

Note: You can access your decrypted texts by providing the password or pass key you provided during encryption process.

How to encrypt an existing file

Use the ansible-vault encrypt command, followed by the name of the file, to encrypt an already existing file

ansible-vault encrypt file.txt
Enter fullscreen mode Exit fullscreen mode

Image description

How to view an encrypted file

Use the ansible-vault viewcommand, followed by the name of the file

ansible-vault view secret.yml
Enter fullscreen mode Exit fullscreen mode

Image description

How to edit an encrypted file

Use the ansible-vault edit command, followed by the name of the file

ansible-vault edit secret.yml
Enter fullscreen mode Exit fullscreen mode

Image description

How to decrypt an encrypted file

Use the ansible-vault decrypt command, followed by the name of the file

ansible-vault decrypt file.txt
Enter fullscreen mode Exit fullscreen mode

Image description

How to change the password of an encrypted file

Use the ansible-vault rekey command, followed by the name of the file

ansible-vault rekey secret.yml
Enter fullscreen mode Exit fullscreen mode

Image description

You will be prompted to enter the current password of the file and afterwards you can enter and confirm the new password

Saving your password to a file

Saving your password to a file (make sure the file is not tracking by version control) and specifying the path to the file is also another way of performing different operations without typing the password always on the terminal prompt.

This password should be auto generated by a password generator software and not hard coded to increase security.

Image description
Random Password Generator

Image description

Random Password Generator

This key should be kept private and should not be committed to version control

How to decrypt an encrypted file during playbook run-time

Let’s say for instance you encrypt your inventory/hosts file that has the IP address of your slave servers, you can run your playbook without decrypting first. Just specify the path to your password file in your command or input the password before playbook runs

Image description

Image description

— — ask-vault-pass: This will prompt you to input your password

 ansible-playbook -i ../hosts main.yml --key-file ~/.ssh/ansible --ask-vault-pass
Enter fullscreen mode Exit fullscreen mode

Image description

- - vault-password-file: This will use the password file directly without asking for password

 ansible-playbook -i ../hosts main.yml --key-file ~/.ssh/ansible --vault-password-file ~/ansible_vault/vault_pass.txt
Enter fullscreen mode Exit fullscreen mode

Image description

Using encrypted variables in playbook

You can access an encrypted variable file using the normal method by including your variable file in your playbook

---
- name: Configure Servers (Ubuntu and CentOS)
  hosts: all
  vars_files:
    - secret_vars.yml

  become: true
  tasks:

    - name: Update Repository Index (Ubuntu and CentOS)
      package:
        update_cache: yes
      changed_when: false

    - name: Clone github repo
      git:
        repo: "{{ github_repo }}"
        dest: "/home/vagrant/test"
        force: yes
Enter fullscreen mode Exit fullscreen mode

Best Practices for Using Ansible Vault

  • Use Strong Passwords: Ensure passwords are complex and secure.
  • Version Control: Track encrypted files in version control but never push your password file to it
  • Backup Encrypted Files: Prevent data loss with regular backups.
  • Password Access: Regularly audit who has access to view your password file.. you can use the chmod to set permissions

Conclusion

Ansible Vault is a useful tool for managing secret information stored in files by encryption and decryption. To learn more about ansible vault visit the official ansible-vault documentation page.

Top comments (0)