- Netomate
- Posts
- Ansible Mastery Part 6: Encrypting Secrets with Ansible Vault
Ansible Mastery Part 6: Encrypting Secrets with Ansible Vault
Protect passwords, API keys, and licenses in your playbooks. A practical guide to using Ansible Vault without breaking your automation flow.
Anurudh D
May 23, 2025
Welcome back to our Ansible Mastery Journey. If you are new to here , don’t miss to check previous posts before diving into this post.
We have already discussed how ansible is used to automate infrastructre .right ?
We right playbooks to handle config and much more .But sometimes these playbooks need senstive information —password API tokens, Licence key ,SSH Keys —Stuff that you dont want to be in plain text.
Now imagine pushing those playbook to Github or Gitlab , may be due to need of collabaration with others. If you just drop your secrets into the YAML as plain text , bascially you are taking risk and sharing your secrets with the world.
🔒 What is Ansible Vault?
Think of Ansible Vault as a password protected envelope for your YAML content . You can encrypyt either:
Entire files
Or just individual variables.
This way we can safely version control playbooks with senstive data in locked condition.
🧪 Step-by-Step: Encrypting a File
Let’s say we have critical_data.yml file which has api and licence key
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ cat inventory/critical_data.yml
---
api_key: Cisco@123
licence_key: abcdef
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ Let’s Encrypt it :
ansible-vault encrypt ./inventory/critical_data.yml It will ask for vault password- choose one and remember. You will need it to decrypt file later
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ ansible-vault encrypt ./inventory/critical_data.yml
New Vault password:
Confirm New Vault password:
Encryption successful
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ The contents are now encrypted. ✅
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ cat inventory/critical_data.yml
$ANSIBLE_VAULT;1.1;AES256
3764346265303562323837363163663030636231373665343763366339343064346331323066638
3035336434306331366230306361396465333635363739300a33373533313238633666666330611
3735616534633434373262343930336136303938303332303136373030313833383739643133361
3032613261666333330a33393431633662623436656538306537336662393838613433383661363
3937653837316337313532353734343432393762346333333636373036353637363032353236306
6438323364373136316432616163396164383564616366653439
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ 🔓 Decrypting the File
To decrypt it when needed:
ansible-vault decrypt ./inventory/critical_data.yml 📦 Using Encrypted Files in Playbooks
Lets look back at our playbook
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ cat ansible_playbook/03_ssh_key.yml
---
- hosts: routers
#gather_facts: false
vars_files:
/home/anurudh/Ansible_Network_Engineer/inventory/critical_data.yml
tasks:
- name: Print Ansible Config location
ansible.builtin.debug:
msg:
- "{{ ansible_config_file }}"
- "{{ ansible_user }}"
- "{{ api_key }}"
- "{{ license_key }}"((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ Let’s run the playbook:
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ ansible-playbook ansible_playbook/03_ssh_key.yml
ERROR! Attempting to decrypt but no vault secrets found
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$
Expected. We will get ERROR! Attempting to decrypt but no vault secrets found
we need to tell Ansible to ask for the vault password:
ansible-playbook ansible_playbook/03_ssh_key.yml --ask-vault-pasThen provide the vault password, and boom — it works:
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ ansible-playbook ansible_playbook/03_ssh_key.yml --ask-vault-pass
Vault password:
PLAY [routers] ******************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************
ok: [r2]
ok: [r1]
TASK [Print Ansible Config location] ********************************************************************************************
ok: [r1] => {
"msg": [
"/home/anurudh/Ansible_Network_Engineer/ansible.cfg",
"ansible_admin",
"Cisco@123",
"abcdef"
]
}
ok: [r2] => {
"msg": [
"/home/anurudh/Ansible_Network_Engineer/ansible.cfg",
"cisco",
"Cisco@123",
"abcdef"
]
}
PLAY RECAP **********************************************************************************************************************
r1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
r2 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ 🤔 Tired of Typing the Password Every Time?
You might have noticed that we have to provide Vault password everytime while running playbook
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ ansible-playbook ansible_playbook/03_ssh_key.yml --ask-vault-pass
Vault password:
Shouldn’t be great if we dont have to provide Vault password everytime?
Lets see how it can be done.
Lets create a vault password file to store the vault password .
In my case i have take vault password as 1234
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ cat inventory/vid_pass
1234
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ Then update your ansible.cfg:
vault_password_file=/home/anurudh/Ansible_Network_Engineer/inventory/vid_passansible.cfg file for reference
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ cat ansible.cfg
[defaults]
inventory = /home/anurudh/ansible/inventory/cisco_devices
transport = network_cli
#host_key_checking =False # Disables SSH host key checking
vault_password_file=/home/anurudh/Ansible_Network_Engineer/inventory/vid_pass
Now you can run your playbook without --ask-vault-pass:
ansible-playbook ansible_playbook/03_ssh_key.yml It picks up the password automatically. Nice.
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ ansible-playbook ansible_playbook/03_ssh_key.yml
PLAY [routers] ******************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************
ok: [r2]
ok: [r1]
TASK [Print Ansible Config location] ********************************************************************************************
ok: [r1] => {
"msg": [
"/home/anurudh/Ansible_Network_Engineer/ansible.cfg",
"ansible_admin",
"Cisco@123",
"abcdef"
]
}
ok: [r2] => {
"msg": [
"/home/anurudh/Ansible_Network_Engineer/ansible.cfg",
"cisco",
"Cisco@123",
"abcdef"
]
}
PLAY RECAP **********************************************************************************************************************
r1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
r2 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
((venv) ) anurudh@localhost:~/Ansible_Network_Engineer$ Yes, you have got it !!! We have used now Ansible-Vault feature to encrypt our critcial data. You know, we can go ahead and encrypt even out vault password file ?
I hope you can try even to encrypt vault password file .Its all same as above.
✅ Recap
Ansible Vault is your built-in secret protector.
It plays nice with Git and automation pipelines.
Use it to keep your playbooks clean and your credentials safe.
✅ Action Step for You Today
Try it, break it, automate it.
If you’re doing infra-as-code, this is a must-have tool in your Ansible workflow.
I’ll guide you, one simple post at a time.
We will deep dive more into Ansible in upcoming posts. Don’t miss to DM or ping me with your queries and comments.
Smiles :)
Anurudh
Reply