BestHub
Sign in
Operations 15 min read

Mastering Ansible Vault: Secure Password Management Without Interactive Prompts

This guide explains how to use Ansible Vault’s AES‑256 encryption to store passwords and other sensitive data non‑interactively, covering creation, viewing, editing, rekeying, multiple Vault IDs, encrypted strings, and best‑practice recommendations for secure automation.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Mastering Ansible Vault: Secure Password Management Without Interactive Prompts

Why non‑interactive password handling matters

When managing target nodes, some operations require a password, but prompting for input during automated runs defeats the purpose of using Ansible.

Common insecure work‑arounds

Writing sensitive data to a file and reading it later (insecure).

Setting environment variables (unsupported by some tools and inconvenient).

Passing passwords via command‑line options (insecure and not supported by Ansible).

Using expect‑style tools (cumbersome).

Ansible Vault – the built‑in solution

Ansible provides Vault, which encrypts data with AES‑256. Early versions (pre‑2.4) required a single password for all encrypted items; newer versions support multiple Vault IDs and more flexible workflows.

12.1 Creating an encrypted file

Use the ansible-vault command and its sub‑commands such as create, view, edit, etc.

$ ansible-vault --help

positional arguments:
  {create,decrypt,edit,view,encrypt,encrypt_string,rekey}
    create              Create a new encrypted file
    decrypt             Decrypt an encrypted file
    edit                Edit an encrypted file
    view                View an encrypted file
    encrypt             Encrypt an existing file
    encrypt_string      Encrypt a string
    rekey               Change the Vault ID or password

Example – create a file passwd_prompt.yml and store a variable:

$ ansible-vault create --vault-id @prompt passwd_prompt.yml

New vault password (default):            # prompted
Confirm new vault password (default):    # prompted
---
mypasswd: 123456                         # variable

The file is encrypted with the password entered at the prompt. The first line of the encrypted file is always the protocol header:

$ANSIBLE_VAULT;1.1;AES256

Viewing encrypted content

$ ansible-vault view --vault-id @prompt passwd_prompt.yml
Vault password (default):
---
mypasswd: 123456

12.2 Vault ID and password sources

The --vault-id option can be used in three ways: label@prompt – interactive prompt. label@path/to/file – read password from a plain‑text file. label@path/to/script – read password from a script’s stdout.

Examples:

$ echo '123456' >a.txt
$ ansible-vault create --vault-id id1@prompt first.yml
$ ansible-vault create --vault-id [email protected] second.yml
$ ansible-vault create --vault-id [email protected] third.yml

If the Vault ID is omitted, the default ID is used.

Using multiple Vault IDs in a playbook

---
- hosts: localhost
  gather_facts: no
  vars_files:
    - first_passwd.yml
    - second_passwd.yml
  tasks:
    - name: debug first
      debug:
        var: passwd1
    - name: debug second
      debug:
        var: passwd2

Run with matching IDs:

$ ansible-playbook --vault-id [email protected] --vault-id [email protected] test.yml

12.3 Encrypting an existing file

$ ansible-vault encrypt --vault-id [email protected] plain.yml

The encrypted file begins with a header that may include the Vault ID:

$ANSIBLE_VAULT;1.2;AES256;id1

12.4 Understanding the protocol header

The header consists of four fields: $ANSIBLE_VAULT – fixed identifier.

Version number (e.g., 1.1 or 1.2).

Encryption algorithm (currently only AES256).

Optional Vault ID (present when a specific ID was used).

You can extract the Vault ID with a simple awk command:

$ awk -F';' 'NR==1{print $4}' encrypted.yml

12.5 Decrypting a file

$ ansible-vault decrypt --vault-id [email protected] encrypted.yml

12.6 Rekeying (changing ID or password)

$ ansible-vault rekey --vault-id [email protected] \
                      --new-vault-id [email protected] \
                      file.yml

You may change only the ID or only the password by keeping one part of the label@source unchanged.

12.7 Editing an encrypted file

$ ansible-vault edit --vault-id [email protected] file.yml

The command opens the default editor with a temporary plaintext copy; upon saving, the file is re‑encrypted automatically.

12.8 Encrypting a string for inline use

$ ansible-vault encrypt_string --vault-id [email protected] 'hello' --name mysql_pass
mysql_pass: !vault |
          $ANSIBLE_VAULT;1.2;AES256;id1
          39623437656130313338613033383464376437...

You can omit --name to get only the !vault block, or read the plaintext from stdin using --stdin-name.

12.9 Speeding up encryption/decryption

pip install cryptography

12.10 Best practices

Encrypt only files that contain sensitive data. Use a vault_ prefix for encrypted variables so they are easy to spot, and keep the actual secret in a separate encrypted file referenced from the main variable file.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Configuration ManagementencryptionAnsibleVault
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment