2014-03-17 15:00:51 +00:00
|
|
|
|
ansible-vault(1)
|
|
|
|
|
================
|
|
|
|
|
:doctype: manpage
|
|
|
|
|
:man source: Ansible
|
|
|
|
|
:man version: %VERSION%
|
|
|
|
|
:man manual: System administration commands
|
|
|
|
|
|
|
|
|
|
NAME
|
|
|
|
|
----
|
|
|
|
|
ansible-vault - manage encrypted YAML data.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SYNOPSIS
|
|
|
|
|
--------
|
|
|
|
|
ansible-vault [create|decrypt|edit|encrypt|rekey] [--help] [options] file_name
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DESCRIPTION
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
*ansible-vault* can encrypt any structured data file used by Ansible. This can include
|
|
|
|
|
*group_vars/* or *host_vars/* inventory variables, variables loaded by *include_vars* or
|
|
|
|
|
*vars_files*, or variable files passed on the ansible-playbook command line with
|
|
|
|
|
*-e @file.yml* or *-e @file.json*. Role variables and defaults are also included!
|
|
|
|
|
|
|
|
|
|
Because Ansible tasks, handlers, and so on are also data, these can also be encrypted with
|
|
|
|
|
vault. If you’d like to not betray what variables you are even using, you can go as far to
|
|
|
|
|
keep an individual task file entirely encrypted.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
COMMON OPTIONS
|
|
|
|
|
--------------
|
|
|
|
|
|
|
|
|
|
The following options are available to all sub-commands:
|
|
|
|
|
|
|
|
|
|
*--vault-password-file=*'FILE'::
|
|
|
|
|
|
|
|
|
|
A file containing the vault password to be used during the encryption/decryption
|
2015-07-28 09:48:57 +00:00
|
|
|
|
steps. Be sure to keep this file secured if it is used. If the file is executable,
|
|
|
|
|
it will be run and its standard output will be used as the password.
|
|
|
|
|
|
|
|
|
|
*--new-vault-password-file=*'FILE'::
|
|
|
|
|
|
|
|
|
|
A file containing the new vault password to be used when rekeying a
|
|
|
|
|
file. Be sure to keep this file secured if it is used. If the file
|
|
|
|
|
is executable, it will be run and its standard output will be used as
|
|
|
|
|
the password.
|
2014-03-17 15:00:51 +00:00
|
|
|
|
|
|
|
|
|
*-h*, *--help*::
|
|
|
|
|
|
|
|
|
|
Show a help message related to the given sub-command.
|
|
|
|
|
|
|
|
|
|
*--debug*::
|
|
|
|
|
|
|
|
|
|
Enable debugging output for troubleshooting.
|
|
|
|
|
|
|
|
|
|
CREATE
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault create [options] FILE*
|
|
|
|
|
|
|
|
|
|
The *create* sub-command is used to initialize a new encrypted file.
|
|
|
|
|
|
|
|
|
|
First you will be prompted for a password. The password used with vault currently
|
|
|
|
|
must be the same for all files you wish to use together at the same time.
|
|
|
|
|
|
|
|
|
|
After providing a password, the tool will launch whatever editor you have defined
|
|
|
|
|
with $EDITOR, and defaults to vim. Once you are done with the editor session, the
|
|
|
|
|
file will be saved as encrypted data.
|
|
|
|
|
|
|
|
|
|
The default cipher is AES (which is shared-secret based).
|
|
|
|
|
|
|
|
|
|
EDIT
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault edit [options] FILE*
|
|
|
|
|
|
|
|
|
|
The *edit* sub-command is used to modify a file which was previously encrypted
|
|
|
|
|
using ansible-vault.
|
|
|
|
|
|
|
|
|
|
This command will decrypt the file to a temporary file and allow you to edit the
|
|
|
|
|
file, saving it back when done and removing the temporary file.
|
|
|
|
|
|
|
|
|
|
REKEY
|
|
|
|
|
-----
|
|
|
|
|
|
2015-08-27 09:05:40 +00:00
|
|
|
|
*$ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]*
|
2014-03-17 15:00:51 +00:00
|
|
|
|
|
|
|
|
|
The *rekey* command is used to change the password on a vault-encrypted files.
|
|
|
|
|
This command can update multiple files at once, and will prompt for both the
|
|
|
|
|
old and new passwords before modifying any data.
|
|
|
|
|
|
|
|
|
|
ENCRYPT
|
|
|
|
|
-------
|
|
|
|
|
|
2015-08-27 09:05:40 +00:00
|
|
|
|
*$ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]*
|
2014-03-17 15:00:51 +00:00
|
|
|
|
|
|
|
|
|
The *encrypt* sub-command is used to encrypt pre-existing data files. As with the
|
|
|
|
|
*rekey* command, you can specify multiple files in one command.
|
|
|
|
|
|
2015-08-27 09:05:40 +00:00
|
|
|
|
Starting with version 2.0, the *encrypt* command accepts an *--output FILENAME*
|
|
|
|
|
option to determine where encrypted output is stored. With this option, input is
|
|
|
|
|
read from the (at most one) filename given on the command line; if no input file
|
|
|
|
|
is given, input is read from stdin. Either the input or the output file may be
|
|
|
|
|
given as '-' for stdin and stdout respectively. If neither input nor output file
|
|
|
|
|
is given, the command acts as a filter, reading plaintext from stdin and writing
|
|
|
|
|
it to stdout.
|
|
|
|
|
|
|
|
|
|
Thus any of the following invocations can be used:
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault encrypt*
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault encrypt --output OUTFILE*
|
|
|
|
|
|
|
|
|
|
*$ ansible-vault encrypt INFILE --output OUTFILE*
|
|
|
|
|
|
|
|
|
|
*$ echo secret|ansible-vault encrypt --output OUTFILE*
|
|
|
|
|
|
|
|
|
|
Reading from stdin and writing only encrypted output is a good way to prevent
|
|
|
|
|
sensitive data from ever hitting disk (either interactively or from a script).
|
|
|
|
|
|
2014-03-17 15:00:51 +00:00
|
|
|
|
DECRYPT
|
|
|
|
|
-------
|
|
|
|
|
|
2015-08-27 09:05:40 +00:00
|
|
|
|
*$ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]*
|
2014-03-17 15:00:51 +00:00
|
|
|
|
|
|
|
|
|
The *decrypt* sub-command is used to remove all encryption from data files. The files
|
|
|
|
|
will be stored as plain-text YAML once again, so be sure that you do not run this
|
|
|
|
|
command on data files with active passwords or other sensitive data. In most cases,
|
|
|
|
|
users will want to use the *edit* sub-command to modify the files securely.
|
|
|
|
|
|
2015-08-27 09:05:40 +00:00
|
|
|
|
As with *encrypt*, the *decrypt* subcommand also accepts the *--output FILENAME*
|
|
|
|
|
option to specify where plaintext output is stored, and stdin/stdout is handled
|
|
|
|
|
as described above.
|
2014-03-17 15:00:51 +00:00
|
|
|
|
|
|
|
|
|
AUTHOR
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
Ansible was originally written by Michael DeHaan. See the AUTHORS file
|
|
|
|
|
for a complete list of contributors.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
COPYRIGHT
|
|
|
|
|
---------
|
|
|
|
|
|
|
|
|
|
Copyright © 2014, Michael DeHaan
|
|
|
|
|
|
|
|
|
|
Ansible is released under the terms of the GPLv3 License.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SEE ALSO
|
|
|
|
|
--------
|
|
|
|
|
|
|
|
|
|
*ansible*(1), *ansible-pull*(1), *ansible-doc*(1)
|
|
|
|
|
|
|
|
|
|
Extensive documentation is available in the documentation site:
|
|
|
|
|
<http://docs.ansible.com>. IRC and mailing list info can be found
|
|
|
|
|
in file CONTRIBUTING.md, available in: <https://github.com/ansible/ansible>
|