Encrypting Files With Ansible Vault (Linux)

less secret_information.txt

Ansible is a piece of configuration management software that can be used to manage a few computers or a lot of computers and as it does not install a client on the end device it (it’s configuration, playbooks and settings) can all be maintained on one computer which acts as the Ansible controller. But how do you keep the data on this one computer safe? The answer is Ansible Vault (and good security practises).

Before progressing, if you are new to Ansible please check out some of my previous blog posts about Ansible.

Ansible Vault allows you to encrypt and decrypt files via one line commands. For example lets say we have a file called secret_information.txt.

A file path to secret_information.txt
What could the secret_information.txt file contain?

And in the file secret_information.txt is a super secret, confidential piece of information that is meant for geektechstuff.com readers only.

File contents showing the number 42, a nod to HitchHikers Guide To The Galaxy
Shout Out To Hitchhikers Guide To The Galaxy Fans!

This file is going to be copied to every geektechstuff.com computer, but should be kept secret. Using the command:

ansible-vault encrypt secret_information.txt

and entering a password, the file is encrypted.

ansible-vault encrypt secret_information.txt
ansible-vault encrypt secret_information.txt

The file looks no different in the terminal but if it is opened then it will show the contents as encrypted. In this case I have used the command:

less secret_information.txt

But cat or a text editor (e.g. Nano or Vim) could be used to get similar results. The first line of the file shows that Ansible Vault has encrypted the file using a AES 256 cipher.

geektechstuff_ansible_vault_3
less secret_information.txt

The file can be decrypted using the command:

ansible-vault decrypt secret_information.txt

Which decrypts the file and makes the data readable again to commands like cat, less and nano, after the correct password has been entered.

ansible-vault decrypt secret_information.txt
ansible-vault decrypt secret_information.txt

If you want to edit an Ansible Vault encrypted file you could decrypt it, edit it and then encrypt it again but this is a little long winded when instead you could use the command:

ansible-vault edit secret_information.txt

ansible-vault edit secret_information.txt
ansible-vault edit secret_information.txt

This creates a temporary file and launches an editor for you to edit the text in the file.

geektechstuff_ansible_vault_7
The tmp (temporary) file in use

Once you are done editing, save and close. The changes are saved, the file remains encrypted and the temporary file is removed.

What happens if you don’t like passwords though? This is where the Ansible Vault vault-id command can help. For this example I am going to be using the same secret_information.txt file, hopefully the top secret data has not been leaked out yet, alongside the opening few paragraphs of Lewis Carroll’s Alice In Wonderland.

Opening of Alice In Wonderland
Opening of Alice In Wonderland

I’ve placed this opening text into a file called alice.txt , it should be suitable to secure our top secret information as it contains lots of characters, upper case and lower case letters and punctuation marks.

geektechstuff_ansible_vault_9
ls showing 2 text files

Then when using the ansible-vault commands an additional option is added in called –vault-id which uses a file as the vault id (i.e. the password) and in this example it is using the opening of Alice In Wonderland, saved in the alice.txt file.

ansible-vault ACTION --vault-id ID_FILE FILE_TO_USE_ACTION_ON
ansible-vault encrypt --vault-id alice.txt secret_information.txt

ansible-vault edit --vault-id alice.txt secret_information.txt

ansible-vault decrypt --vault-id alice.txt secret_information.txt
geektechstuff_ansible_vault_10
ansible-vault –vault-id options

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.