Forrest logo
back to the ansible-vault tool

ansible-vault:tldr:1d55b

ansible-vault: Encrypt a string using Ansible's encrypted string format, displaying interactive prompts.
$ ansible-vault encrypt_string
try on your machine

The command ansible-vault encrypt_string is used to encrypt sensitive data (such as passwords, API keys, or other secret variables) in Ansible playbooks or variable files.

When you run ansible-vault encrypt_string, you provide the string that you want to encrypt as an argument. The command then encrypts that string and outputs it in an encrypted format.

This encrypted string can then be stored in your playbook or variable file, and whenever Ansible needs to use it, it will automatically decrypt it using a password you specify. This way, you can keep your sensitive data secure within your Ansible configuration.

For example, suppose you have a password "mySecretPassword" that you don't want to store in plain text within your playbook. You can run the following command:

ansible-vault encrypt_string --vault-password-file=vault_pass.txt 'mySecretPassword'

This command will encrypt the password and generate output like:

!vault |
          $ANSIBLE_VAULT;1.1;AES256
          61373333303663323231373539303564646166303363383461623363626135366632663864623361
          6536393164393730373439326230626635393461623336380a353639303361393966343862616265
          39656261313732656562313635633663616231346432643761386466303631316564373738633435
          3763333563376632340a623238326239653661666565326166663730323064303431356230313135
          38343263353562373265633031396564626532363039333331653964373636396132363964
Encryption successful

You can then copy this encrypted string and use it in your playbook like this:

- name: Example playbook
  hosts: localhost
  vars:
    my_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          61373333303663323231373539303564646166303363383461623363626135366632663864623361
          6536393164393730373439326230626635393461623336380a353639303361393966343862616265
          39656261313732656562313635633663616231346432643761386466303631316564373738633435
          3763333563376632340a623238326239653661666565326166663730323064303431356230313135
          38343263353562373265633031396564626532363039333331653964373636396132363964
  tasks:
    - name: Print password
      debug:
        var: my_password

Ansible will automatically decrypt the encrypted string using the password you provide when running the playbook, and you can use the decrypted value within your tasks.

This explanation was created by an AI. In most cases those are correct. But please always be careful and never run a command you are not sure if it is safe.
back to the ansible-vault tool