NAME¶
ansible-vault - manage encrypted YAML data.
SYNOPSIS¶
ansible-vault [create|decrypt|edit|encrypt|rekey] [--help] [options] file_name
DESCRIPTION¶
ansible-vault can encrypt any structured data file used by Ansible. This
can include
group_vars/ or
host_vars/ inventory variables,
variables loaded by
include_vars or
vars_files, or variable
files passed on the ansible-playbook command line with
-e @file.yml or
-e @file.json. Role variables and defaults are also included!
Because Ansible tasks, handlers, and so on are also data, these can also be
encrypted with vault. If you’d like to not betray what variables you are
even using, you can go as far to keep an individual task file entirely
encrypted.
COMMON OPTIONS¶
The following options are available to all sub-commands:
--vault-password-file=FILE
A file containing the vault password to be
used during the encryption/decryption steps. Be sure to keep this file secured
if it is used.
-h,
--help
Show a help message related to the given
sub-command.
--debug
Enable debugging output for
troubleshooting.
CREATE¶
$ ansible-vault create [options] FILE
The
create sub-command is used to initialize a new encrypted file.
First you will be prompted for a password. The password used with vault
currently must be the same for all files you wish to use together at the same
time.
After providing a password, the tool will launch whatever editor you have
defined with $EDITOR, and defaults to vim. Once you are done with the editor
session, the file will be saved as encrypted data.
The default cipher is AES (which is shared-secret based).
EDIT¶
$ ansible-vault edit [options] FILE
The
edit sub-command is used to modify a file which was previously
encrypted using ansible-vault.
This command will decrypt the file to a temporary file and allow you to edit the
file, saving it back when done and removing the temporary file.
REKEY¶
*$ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]
The
rekey command is used to change the password on a vault-encrypted
files. This command can update multiple files at once, and will prompt for
both the old and new passwords before modifying any data.
ENCRYPT¶
*$ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]
The
encrypt sub-command is used to encrypt pre-existing data files. As
with the
rekey command, you can specify multiple files in one command.
DECRYPT¶
*$ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]
The
decrypt sub-command is used to remove all encryption from data files.
The files will be stored as plain-text YAML once again, so be sure that you do
not run this command on data files with active passwords or other sensitive
data. In most cases, users will want to use the
edit sub-command to
modify the files securely.
AUTHOR¶
Ansible was originally written by Michael DeHaan. See the AUTHORS file for a
complete list of contributors.
COPYRIGHT¶
Copyright © 2014, Michael DeHaan
Ansible is released under the terms of the GPLv3 License.
SEE ALSO¶
ansible(1),
ansible-pull(1),
ansible-doc(1)
Extensive documentation is available in the documentation site:
http://docs.ansible.com. IRC and mailing list info can be found in file
CONTRIBUTING.md, available in:
https://github.com/ansible/ansible