Securing Ansible Variables with GPG


Ansible Vault encrypts variables and files so you can protect sensitive content such as passwords or keys rather than leaving it visible as plaintext in playbooks or roles. - Ansible Vault

There are multiple methods of handling secrets for ansible deployments. This is a relatively simple one, best suited for non-clustered deployments where Hashicorp Vault would be overkill.

Following these steps will create an encrypted vault that gets automatically decrypted when you run ansible-playbook.

1. requirements

2. setup

Using your gpg key, you’ll need to initialize pass and set the password of your ansible-vault vault.

$ openssl rand -hex 64 # optional
$ gpg --list-keys
pass insert and ansible-vault edit will open up an editor in the terminal, so make sure you’ve got EDITOR and VISUAL set to your preferred editor. The default is usually nano.
$ pass init <your-gpg-key>

$ pass insert ansible-vault-password
# in ansible.cfg
vault_password_file = ./

pass show ansible-vault-password

3. usage

$ ansible-vault create your-vault.yml

The output will look something like this for an empty file.


You’ll likely want to put this in group_vars or host_vars. Here’s an example with a role named base.

You could put everything into a single vault.yml or split non-secure configurations into a separate var.yml:

├── group_vars
│   ├── base
│   │   ├── var.yml
│   │   └── vault.yml

Or for a host named example:

├── host_vars
│   └── example

Now all you need to do is make sure you check this file into git or save it somehow, and you’re good to go with secure deployments.

$ ansible-vault edit your-vault.yml

$ ansible-playbook playbook.yml # no flags needed thanks to modifying ansible.cfg

4. Reference