|
|
|
|
ansible-vault(1)
|
|
|
|
|
================
|
|
|
|
|
:doctype: manpage
|
|
|
|
|
:man source: Ansible
|
|
|
|
|
:man version: %VERSION%
|
|
|
|
|
:man manual: System administration commands
|
|
|
|
|
|
|
|
|
|
NAME
|
|
|
|
|
----
|
|
|
|
|
ansible-vault - manage encrypted ansible vars files (YAML).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SYNOPSIS
|
|
|
|
|
--------
|
|
|
|
|
ansible-vault [create|decrypt|edit|encrypt|rekey] [--help] [options] file_name
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DESCRIPTION
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
*ansible-vault* can encrypt any structured data file used by Ansible.
|
|
|
|
|
This can include *group_vars/* or *host_vars/* inventory variables,
|
|
|
|
|
variables loaded by *include_vars* or *vars_files*, or variable files
|
|
|
|
|
passed on the ansible-playbook command line with *-e @file.yml* or *-e @file.json*.
|
|
|
|
|
Role variables and defaults are also included!
|
|
|
|
|
|
|
|
|
|
Because Ansible tasks, handlers, and so on are also data, these can also be encrypted with vault.
|
|
|
|
|
If you’d like to not betray what variables you are even using, you can go as far to keep an individual task file entirely encrypted.
|
|
|
|
|
|
|
|
|
|
The password used with vault currently must be the same for all files you wish to use together at the same time.
|
|
|
|
|
|
|
|
|
|
COMMON OPTIONS
|
|
|
|
|
--------------
|
|
|
|
|
|
|
|
|
|
The following options are available to all sub-commands:
|
|
|
|
|
|
|
|
|
|
*--vault-password-file=*'FILE'::
|
|
|
|
|
|
|
|
|
|
A file containing the vault password to be used during the encryption/decryption
|
|
|
|
|
steps. Be sure to keep this file secured if it is used. If the file is executable,
|
|
|
|
|
it will be run and its standard output will be used as the password.
|
|
|
|
|
|
|
|
|
|
*--new-vault-password-file=*'FILE'::
|
|
|
|
|
|
|
|
|
|
A file containing the new vault password to be used when rekeying a
|
|
|
|
|
file. Be sure to keep this file secured if it is used. If the file
|
|
|
|
|
is executable, it will be run and its standard output will be used as
|
|
|
|
|
the password.
|
|
|
|
|
|
|
|
|
|
*-h*, *--help*::
|
|
|
|
|
|
|
|
|
|
Show a help message related to the given sub-command.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If '--valut-password-file' is not supplied ansib-vault will automatically prompt for passwords as required.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CREATE
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault create [options] FILE*
|
|
|
|
|
|
|
|
|
|
The *create* sub-command is used to initialize a new encrypted file.
|
|
|
|
|
|
|
|
|
|
After providing a password, the tool will launch whatever editor you have defined
|
|
|
|
|
with $EDITOR, and defaults to vi. Once you are done with the editor session, the
|
|
|
|
|
file will be saved as encrypted data.
|
|
|
|
|
|
|
|
|
|
The default cipher is AES (which is shared-secret based).
|
|
|
|
|
|
|
|
|
|
EDIT
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault edit [options] FILE*
|
|
|
|
|
|
|
|
|
|
The *edit* sub-command is used to modify a file which was previously encrypted using ansible-vault.
|
|
|
|
|
|
|
|
|
|
This command will decrypt the file to a temporary file and allow you to edit the file,
|
|
|
|
|
saving it back when done and removing the temporary file.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
REKEY
|
|
|
|
|
-----
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]*
|
|
|
|
|
|
|
|
|
|
The *rekey* command is used to change the password on a vault-encrypted files.
|
|
|
|
|
This command can update multiple files at once.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ENCRYPT
|
|
|
|
|
-------
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]*
|
|
|
|
|
|
|
|
|
|
The *encrypt* sub-command is used to encrypt pre-existing data files.
|
|
|
|
|
As with the *rekey* command, you can specify multiple files in one command.
|
|
|
|
|
|
|
|
|
|
The *encrypt* command accepts an *--output FILENAME* option to determine where
|
|
|
|
|
encrypted output is stored. With this option, input is read from the (at most one)
|
|
|
|
|
filename given on the command line; if no input file is given, input is read from stdin.
|
|
|
|
|
Either the input or the output file may be given as '-' for stdin and stdout respectively.
|
|
|
|
|
If neither input nor output file is given, the command acts as a filter,
|
|
|
|
|
reading plaintext from stdin and writing it to stdout.
|
|
|
|
|
|
|
|
|
|
Thus any of the following invocations can be used:
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault encrypt*
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault encrypt --output OUTFILE*
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault encrypt INFILE --output OUTFILE*
|
|
|
|
|
|
|
|
|
|
*$ echo secret|ansible-vault encrypt --output OUTFILE*
|
|
|
|
|
|
|
|
|
|
Reading from stdin and writing only encrypted output is a good way to prevent
|
|
|
|
|
sensitive data from ever hitting disk (either interactively or from a script).
|
|
|
|
|
|
|
|
|
|
DECRYPT
|
|
|
|
|
-------
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]*
|
|
|
|
|
|
|
|
|
|
The *decrypt* sub-command is used to remove all encryption from data files.
|
|
|
|
|
The files will be stored as plain-text YAML once again, so be sure that you do not run this
|
|
|
|
|
command on data files with active passwords or other sensitive data.
|
|
|
|
|
In most cases, users will want to use the *edit* sub-command to modify the files securely.
|
|
|
|
|
|
|
|
|
|
As with *encrypt*, the *decrypt* subcommand also accepts the *--output FILENAME*
|
|
|
|
|
option to specify where plaintext output is stored, and stdin/stdout is handled
|
|
|
|
|
as described above.
|
|
|
|
|
|
|
|
|
|
AUTHOR
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
Ansible was originally written by Michael DeHaan. See the AUTHORS file
|
|
|
|
|
for a complete list of contributors.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
COPYRIGHT
|
|
|
|
|
---------
|
|
|
|
|
|
|
|
|
|
Copyright © 2014, Michael DeHaan
|
|
|
|
|
|
|
|
|
|
Ansible is released under the terms of the GPLv3 License.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SEE ALSO
|
|
|
|
|
--------
|
|
|
|
|
|
|
|
|
|
*ansible*(1), *ansible-pull*(1), *ansible-doc*(1), *ansible-playbook*(1), *ansible-galaxy*(1)
|
|
|
|
|
|
|
|
|
|
Extensive documentation is available in the documentation site:
|
|
|
|
|
<http://docs.ansible.com>. IRC and mailing list info can be found
|
|
|
|
|
in file CONTRIBUTING.md, available in: <https://github.com/ansible/ansible>
|