Ansible - Day 5 (Ansible Vault)

In today's fast-changing digital world, keeping our data safe is super important. So, how can we make sure our secrets and sensitive info stay protected while we use cool automation tools like Ansible? 🤔

In this blog, we will be discussing Ansible Vault. Also, we will be looking at how to encrypt different playbooks and how they can be decrypted.

Introduction

Ansible Vault is like a magic vault where you can keep sensitive data such as passwords or keys protected at rest, rather than as plain text in playbooks or roles. It locks them up tight, so only the right people can access them.

Why use Ansible Vault?

1. Security: Your secrets stay safe and sound.

2. Version Control: You can keep track of changes to secrets.

3. Control Access: You decide who gets to see what.

4. Works with Automation: It fits perfectly into your automation plans.

How does Ansible Vault help us?

It helps us to encrypt or decrypt sensitive variables that contain information and there are 2 ways to take care of sensitive data :

Certainly! Here's a step-by-step process for encrypting and decrypting sensitive data using Ansible Vault in more detail:

Encrypting Sensitive Data:

1. Create an Encrypted File:

   To create an encrypted file to store sensitive data, use the ansible-vault create command:

    ansible-vault create secrets.yml
    New Vault password: 
    Confirm New Vault password:
   

   This command will prompt you to set a vault password. Choose a strong password and remember it because you'll need it for decryption.

2. Edit the Encrypted File:

   After setting the vault password, Ansible will open the secrets.yml file in your default text editor. You can add your sensitive data in YAML format, like so:

    codeapi_key: your_secret_api_key
    db_password: your_secret_db_password
   

   Save and exit the text editor. The data is now securely encrypted using the vault password.

Decrypting Sensitive Data:

1. Edit the Encrypted File:

   To edit an existing encrypted file, use the ansible-vault edit command:

    ansible-vault edit secrets.yml
   

   Ansible will prompt you to enter the vault password to decrypt the file. Once decrypted, you can edit the file's contents.

2. View and Edit the Decrypted File:

   The encrypted file will open in your default text editor, allowing you to view and edit the contents freely. Make your changes save, and exit the text editor.

3. Save the Changes:

   When you save the changes, Ansible will automatically re-encrypt the file with the same vault password. You don't need to specify the password during this process; Ansible remembers it for you.

Using Encrypted Data in Playbooks:

In your Ansible playbooks, you can reference the encrypted data from the secrets.yml file as variables. Ansible will handle the decryption when the playbook runs.

Here's an example playbook snippet:

---
- name: Example Playbook with Encrypted Secrets
  hosts: your_target_hosts
  tasks:
    - name: Ensure secret data is available
      include_vars: secrets.yml

    - name: Use the API key in a task
      debug:
        msg: "API Key is {{ api_key }}"

    - name: Use the DB password in a task
      debug:
        msg: "DB Password is {{ db_password }}"

When you run this playbook with ansible-playbook, Ansible will prompt you for the vault password to decrypt secrets.yml. Once decrypted, the playbook can access the sensitive data as variables and execute tasks accordingly.

Decrypting Encrypted Files During Runtime

We could use –ask-vault-pass flag to decrypt a file during runtime.

$ ansible-playbook XXX.yml --ask-vault-pass

This will decrypt your encrypted files that are encrypted with the same password to execute.

Remember to always keep your vault password secure, as it is the key to decrypting and accessing your sensitive data.