A vault password is a secret code that you can use to encrypt and decrypt sensitive data in your Ansible playbooks. A vault password can protect your secrets from unauthorized access, and make your automation more secure and reliable.
In this article, we will show you how to create and manage a vault password using Ansible Vault, a feature that allows you to encrypt and decrypt data with a password or a key file.
Creating a Vault Password
To create a vault password, you can use the ansible-vault command with the create option. For example, the following command will create a vault password file named vault_pass.txt in the current directory:
ansible-vault create vault_pass.txt
You will be prompted to enter and confirm a password for the vault. The password can be any string of characters, but it should be strong and hard to guess. You can also use a passphrase or a sentence as a password.
The vault password file will be encrypted with AES-256 encryption algorithm, and you will see a message like this:
Vault password created: vault_pass.txt
You can also create a vault password file from an existing plain text file by using the encrypt option. For example, the following command will encrypt the file secret.txt with a vault password and rename it to vault_pass.txt:
To use a vault password, you need to specify it when running Ansible commands that involve encrypted data. You can do this in two ways:
Passing the vault password file as an argument with the --vault-password-file option. For example, the following command will run a playbook named deploy.yml using the vault password file vault_pass.txt:
Setting the environment variable ANSIBLE_VAULT_PASSWORD_FILE to the path of the vault password file. For example, the following command will set the environment variable and run the same playbook as above:
In both cases, Ansible will use the vault password to decrypt any encrypted data in the playbook or in the inventory files.
Changing a Vault Password
To change a vault password, you can use the ansible-vault command with the rekey option. For example, the following command will change the vault password for the file vault_pass.txt:
ansible-vault rekey vault_pass.txt
You will be prompted to enter the old password and then the new password for the vault. The file will be re-encrypted with the new password.
Deleting a Vault Password
To delete a vault password, you can simply delete the vault password file from your system. However, you should make sure that you have decrypted any data that was encrypted with that password before deleting it. Otherwise, you will lose access to that data.
To decrypt a file that was encrypted with a vault password, you can use the ansible-vault command with the decrypt option. For example, the following command will decrypt the file vault_pass.txt and rename it to secret.txt: