Encrypting secrets with Ansible Vault

Posted on Wed 22 January 2020 in Ansible

Configure config file to understand identities

Add the following under the [defaults] heading of either ~/.ansible.cfg or /etc/ansible/ansible.cfg:

vault_identity_list = $vault_id1@/path/to/$vault_id1_key,$vault_id2@/path/to/$vault_id2_key,...$vault_idn@/path/to/vault_idn_key

Create vault ID

Now it's time to create the actual vault file. This can be done by either copy-and-pasting a password into the file specified in the config file or by randomly generating one with the tool of your choice and redirecting into a file.

echo "$(openssl rand -hex 32)" > /path/to/$vault_id1_key

Use the vault ID

Now rather than being prompted for a password, it is possible to apply a label to the vault. The label can then look up the password from the vault key file.

ansible-vault create --encrypt-vault-id $vault_id1 vault.yml


As an example of the above, let's create a vault named prod_secrets.yml with the label prod with the password stored in a key file named prod_key in ~/.vault_ids/:

In ~/.ansible.cfg:

vault_identity_list = $prod@~/.vault_ids/prod_key

Now lets create the above-referenced file with a password populated:

# echo "$(openssl rand -hex 32)" > ~/.vault_ids/prod_key

Now lets test creating a vault:

# ansible-vault create --encrypt-vault-id prod prod_secrets.yml

If we want to create a new vault id named dev using the same method, we can do that too:

In ~/.ansible.cfg:

vault_identity_list = $prod@~/.vault_ids/prod_key,$dev@~/.vault_ids/dev_key

Time to create a new key too:

# echo "$(openssl rand -hex 32)" > ~/.vault_ids/dev_key

And now we can use the dev id for a different vault:

# ansible-vault create --encrypt-vault-id dev dev_secrets.yml