Managing Secrets using Ansible Vault

Many of the application setups and server configurations need secrets like keys and passwords. Typically we store Ansible roles and plays in a version control but these version controls have wider access than we can afford in terms of exposing the secrts.

Ansible provides an inbuilt mechanism to encrypt the sensitive information encoded in yml format. For example, we can have a file with variables which can hold the passwords and can be encrypted.

---
mysql_password: top_secret

To encrypt the file above, we can call ansible-vault command line.

ansible-vault encrypt secret.yml

An encrypted file would look like this:

$ cat secret.yml 
$ANSIBLE_VAULT;1.1;AES256
64363563353437623161356238633538643963383534336264386161313733663163616530333332
6232666564376233316233613431663833313966306361340a333666346264303264656339316435
37633134343863376236336636353535636339383735633730656431303964316234323364646339
3139626366653662640a306439323762363333356363393563373334343338613363623363346265
38306365376361363534663263653439323763326165376234623537336231393365