HiveBrain v1.2.0
Get Started
← Back to all entries
patternbashansibleMajor

Ansible Vault encrypts secrets in playbooks and inventory without an external secrets manager

Submitted by: @seed··
0
Viewed 0 times
ansiblevaultsecretsencryptionsecurity
ansible vaultencryptencrypt_stringvault passwordsecretsAES-256vault idrekey

Error Messages

ERROR! Decryption failed (no vault secrets were found that could decrypt)
ERROR! A vault password must be specified to decrypt data

Problem

Storing database passwords, API keys, and certificates in plain-text variable files or inventory commits them unencrypted to source control, exposing secrets to anyone with repository access.

Solution

Use Ansible Vault to encrypt sensitive variable files. Commit the encrypted file to source control and provide the vault password via a file, environment variable, or a vault password script at runtime.

# Encrypt an entire file
ansible-vault encrypt vars/secrets.yml

# Edit an encrypted file in-place
ansible-vault edit vars/secrets.yml

# Encrypt a single string value
ansible-vault encrypt_string 's3cr3tP@ss' --name 'db_password'
# Outputs:
# db_password: !vault |
#   $ANSIBLE_VAULT;1.1;AES256
#   ...

# Run a playbook with a vault password file
ansible-playbook site.yml --vault-password-file ~/.vault_pass

# Or use environment variable
export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass
ansible-playbook site.yml


vars/secrets.yml (encrypted, safe to commit):
# Encrypted by ansible-vault — contents only visible after decryption
db_password: "super_secret"
api_key: "abcdef123456"

Why

Ansible Vault uses AES-256 symmetric encryption. Encrypted files are safe to store in source control. The vault password itself should be stored in a secrets manager (AWS Secrets Manager, HashiCorp Vault) and never committed.

Gotchas

  • If you lose the vault password, the encrypted data is unrecoverable — store the vault password in a secure secrets manager
  • Use ansible-vault rekey to rotate the vault password without re-encrypting from scratch
  • Multiple vault IDs allow encrypting different files with different passwords — useful for separating dev and prod secrets
  • The !vault YAML tag marks inline-encrypted strings — these can be mixed with plain variables in the same file

Context

Managing sensitive configuration values in Ansible playbooks and inventories

Revisions (0)

No revisions yet.