ansible Secret encryption Encrypting sensitive structured data
Example
First, create a key file, e.g., vault_pass_file, which ideally contains a long sequence of random characters.
In linux systems you could use pwgen to create a random password file:
pwgen 256 1 > vault_pass_file
Then, use this file to encrypt sensitive data, e.g., groups_vars/group.yml:
ANSIBLE_VAULT_PASSWORD_FILE=vault_pass_file ansible-vault encrypt group_vars/group.yml
From now on, in order to run a playbook you need the vault_pass_file:
ANSIBLE_VAULT_PASSWORD_FILE=vault_pass_file ansible-playbook -i inventories/nodes my-playbook.yml
Note, you could also use the flag --vault-password-file vault_pass_file instead of setting the ANSIBLE_VAULT_PASSWORD_FILE environment variable.
In order to edit or decrypt the secret on disk you can use ansible-vault edit and ansible-vault decrypt respectively.
