999 B
999 B
Ansible vault encrypt-decrypt
Encrypt
Echo passwords through ansible-vault into a file (or files). Be sure to escape special characters (see below) or avoid them altogether.
" ' [ ] { } > | * & ! % # ` @ ,
Provide encryption password when prompted (can be different for each password)
printf "%s" <password1> | ansible-vault encrypt_string --stdin-name=<password-name1> > <password-file>.var.yml
printf "%s" <password2> | ansible-vault encrypt_string --stdin-name=<password-name2> >> <password-file>.var.yml
Decrypt
Retrieve a single decrytped password from yml file containing vaulted password.
Prompt for encryption password.
ansible localhost -e '@<yaml file containing password>.yml' --ask-vault-pass -m debug -a 'var=<password-name>'
Or include reference to vault password if you have it stored in a file
ansible localhost -e '@<yaml file containing password>.yml' --vault-password-file ~/pw.vault -m debug -a 'var=<password-name>'