A sound IT security strategy is a must for any DevOps or infrastructure-as-code initiative. Ansible Vault, a feature within the Ansible automation tool, can help IT teams manage sensitive data, also known as secrets, within distributed systems.
Ansible Vault is enabled by the ansible-vault utility and command-line tool. It lets admins work with secrets as encrypted files and strings, without exposing them in plain text. IT admins can store these encrypted files safely in source control, alongside application code.
Editor's Note: Ansible Vault is different from HashiCorp Vault; the former, as noted, is a native feature within Ansible, while the latter is a commercially available secrets management product.
For example, admins can use Vault in conjunction with an Ansible playbook to store any secrets that are necessary to run the playbook, and that are versioned with the deployment scripts; these secrets will only decrypt at runtime.
Follow the Ansible Vault example in the video above to explore two types of encryption: file-level and variable-level. With file-level encryption, admins can use the ansible-vault create <filename> command to create a file that is password encrypted. This command prompts admins for a password with which to encrypt the vault. Then, they can use a terminal-based text editor to write the contents of the file.
After the file is written, users will only see a string of encrypted text, rather than the file contents, if they try to view it with cat or another command. To view the contents of the file, use the ansible-vault view <filename> command, which will prompt you for the protected file's password. This is the same for editing; admins need to use the ansible-vault edit <filename> command.
As shown in this Ansible Vault example, variable-level encryption applies to an individual variable within a file. Use the command ansible-vault encrypt_string '<variable_value>' --name '<variable_name>'. This returns text in an encrypted YAML format that Ansible can store in a variable file and consume in a playbook.
Each of these commands accepts a parameter called --vault-password-file, which IT admins can use to decrypt the vault without a password prompt. Create a file in a directory outside of the code repository with the vault password; point this parameter to the file to eliminate a prompt at runtime.
Transcript - Follow this Ansible Vault example for encryption best practices
Hello, and welcome to Getting Started with Ansible Vault.
So first and foremost, Ansible Vault has two types of encryption: We have file-level encryption, and variable-level encryption. So, to start out, I'm going to create a new file with Ansible Vault called secrets.yml. And it's going to ask me for a password here. I'm just going to put in 'password.' Now, this will become important in just a moment.
And, for my secret text, I'm going to put in, 'Can you keep a secret?' So let's save this.
Now, if we look in the directory, we have a secrets.yml file. And, if we try and read that with the cat command, that doesn't really give us anything helpful. We don't know what to do with that. So what we need to do is decrypt that using Ansible Vault. So, I'm going to run the ansible-vault view command on secrets.yml. And when I'm prompted for my password, I'll just enter 'password.' Great.
Now, there's another way to do this if we want to do it automatically and not interactively by adding a flag called password file. And, for context here, I put a file in my root directory that has the password in it. So that's the password I'm using from a vault. If I put the password file flag onto the view command, it will consume that file and use it instead of prompting us for a password. So that's file-level encryption.
If we want to do this with variable-level encryption, Ansible Vault offers another command called encrypt string. And here I'm prompted for the password one more time, but we can also use the vault password file parameter if we want to. And here I have it in YAML format that we can then put into a file and consume as part of our Ansible playbooks. So, by putting it into another file, we can try and read more secrets. And we get the same encrypted text we would earlier. However, we can also run the Ansible command to retrieve the secret by providing the vault password flag as well. Oh, I put in the wrong text. So, I'm looking for the secret text variable when my variable in the file is 'It's a secret.'
All right, and that's it for the demo. Thank you for watching.