124 lines
6.4 KiB
Groff
124 lines
6.4 KiB
Groff
'\" t
|
|
.\" Title: ansible-vault
|
|
.\" Author: [see the "AUTHOR" section]
|
|
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
|
|
.\" Date: 08/27/2015
|
|
.\" Manual: System administration commands
|
|
.\" Source: Ansible 2.0.0
|
|
.\" Language: English
|
|
.\"
|
|
.TH "ANSIBLE\-VAULT" "1" "08/27/2015" "Ansible 2\&.0\&.0" "System administration commands"
|
|
.\" -----------------------------------------------------------------
|
|
.\" * Define some portability stuff
|
|
.\" -----------------------------------------------------------------
|
|
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
.\" http://bugs.debian.org/507673
|
|
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
|
|
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
.ie \n(.g .ds Aq \(aq
|
|
.el .ds Aq '
|
|
.\" -----------------------------------------------------------------
|
|
.\" * set default formatting
|
|
.\" -----------------------------------------------------------------
|
|
.\" disable hyphenation
|
|
.nh
|
|
.\" disable justification (adjust text to left margin only)
|
|
.ad l
|
|
.\" -----------------------------------------------------------------
|
|
.\" * MAIN CONTENT STARTS HERE *
|
|
.\" -----------------------------------------------------------------
|
|
.SH "NAME"
|
|
ansible-vault \- manage encrypted YAML data\&.
|
|
.SH "SYNOPSIS"
|
|
.sp
|
|
ansible\-vault [create|decrypt|edit|encrypt|rekey] [\-\-help] [options] file_name
|
|
.SH "DESCRIPTION"
|
|
.sp
|
|
\fBansible\-vault\fR can encrypt any structured data file used by Ansible\&. This can include \fBgroup_vars/\fR or \fBhost_vars/\fR inventory variables, variables loaded by \fBinclude_vars\fR or \fBvars_files\fR, or variable files passed on the ansible\-playbook command line with \fB\-e @file\&.yml\fR or \fB\-e @file\&.json\fR\&. Role variables and defaults are also included!
|
|
.sp
|
|
Because Ansible tasks, handlers, and so on are also data, these can also be encrypted with vault\&. If you\(cqd like to not betray what variables you are even using, you can go as far to keep an individual task file entirely encrypted\&.
|
|
.SH "COMMON OPTIONS"
|
|
.sp
|
|
The following options are available to all sub\-commands:
|
|
.PP
|
|
\fB\-\-vault\-password\-file=\fR\fIFILE\fR
|
|
.RS 4
|
|
A file containing the vault password to be used during the encryption/decryption steps\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
|
|
.RE
|
|
.PP
|
|
\fB\-\-new\-vault\-password\-file=\fR\fIFILE\fR
|
|
.RS 4
|
|
A file containing the new vault password to be used when rekeying a file\&. Be sure to keep this file secured if it is used\&. If the file is executable, it will be run and its standard output will be used as the password\&.
|
|
.RE
|
|
.PP
|
|
\fB\-h\fR, \fB\-\-help\fR
|
|
.RS 4
|
|
Show a help message related to the given sub\-command\&.
|
|
.RE
|
|
.PP
|
|
\fB\-\-debug\fR
|
|
.RS 4
|
|
Enable debugging output for troubleshooting\&.
|
|
.RE
|
|
.SH "CREATE"
|
|
.sp
|
|
\fB$ ansible\-vault create [options] FILE\fR
|
|
.sp
|
|
The \fBcreate\fR sub\-command is used to initialize a new encrypted file\&.
|
|
.sp
|
|
First you will be prompted for a password\&. The password used with vault currently must be the same for all files you wish to use together at the same time\&.
|
|
.sp
|
|
After providing a password, the tool will launch whatever editor you have defined with $EDITOR, and defaults to vim\&. Once you are done with the editor session, the file will be saved as encrypted data\&.
|
|
.sp
|
|
The default cipher is AES (which is shared\-secret based)\&.
|
|
.SH "EDIT"
|
|
.sp
|
|
\fB$ ansible\-vault edit [options] FILE\fR
|
|
.sp
|
|
The \fBedit\fR sub\-command is used to modify a file which was previously encrypted using ansible\-vault\&.
|
|
.sp
|
|
This command will decrypt the file to a temporary file and allow you to edit the file, saving it back when done and removing the temporary file\&.
|
|
.SH "REKEY"
|
|
.sp
|
|
\fB$ ansible\-vault rekey [options] FILE_1 [FILE_2, \&..., FILE_N]\fR
|
|
.sp
|
|
The \fBrekey\fR command is used to change the password on a vault\-encrypted files\&. This command can update multiple files at once, and will prompt for both the old and new passwords before modifying any data\&.
|
|
.SH "ENCRYPT"
|
|
.sp
|
|
\fB$ ansible\-vault encrypt [options] FILE_1 [FILE_2, \&..., FILE_N]\fR
|
|
.sp
|
|
The \fBencrypt\fR sub\-command is used to encrypt pre\-existing data files\&. As with the \fBrekey\fR command, you can specify multiple files in one command\&.
|
|
.sp
|
|
Starting with version 2\&.0, the \fBencrypt\fR command accepts an \fB\-\-output FILENAME\fR option to determine where encrypted output is stored\&. With this option, input is read from the (at most one) filename given on the command line; if no input file is given, input is read from stdin\&. Either the input or the output file may be given as \fI\-\fR for stdin and stdout respectively\&. If neither input nor output file is given, the command acts as a filter, reading plaintext from stdin and writing it to stdout\&.
|
|
.sp
|
|
Thus any of the following invocations can be used:
|
|
.sp
|
|
\fB$ ansible\-vault encrypt\fR
|
|
.sp
|
|
\fB$ ansible\-vault encrypt \-\-output OUTFILE\fR
|
|
.sp
|
|
\fB$ ansible\-vault encrypt INFILE \-\-output OUTFILE\fR
|
|
.sp
|
|
\fB$ echo secret|ansible\-vault encrypt \-\-output OUTFILE\fR
|
|
.sp
|
|
Reading from stdin and writing only encrypted output is a good way to prevent sensitive data from ever hitting disk (either interactively or from a script)\&.
|
|
.SH "DECRYPT"
|
|
.sp
|
|
\fB$ ansible\-vault decrypt [options] FILE_1 [FILE_2, \&..., FILE_N]\fR
|
|
.sp
|
|
The \fBdecrypt\fR sub\-command is used to remove all encryption from data files\&. The files will be stored as plain\-text YAML once again, so be sure that you do not run this command on data files with active passwords or other sensitive data\&. In most cases, users will want to use the \fBedit\fR sub\-command to modify the files securely\&.
|
|
.sp
|
|
As with \fBencrypt\fR, the \fBdecrypt\fR subcommand also accepts the \fB\-\-output FILENAME\fR option to specify where plaintext output is stored, and stdin/stdout is handled as described above\&.
|
|
.SH "AUTHOR"
|
|
.sp
|
|
Ansible was originally written by Michael DeHaan\&. See the AUTHORS file for a complete list of contributors\&.
|
|
.SH "COPYRIGHT"
|
|
.sp
|
|
Copyright \(co 2014, Michael DeHaan
|
|
.sp
|
|
Ansible is released under the terms of the GPLv3 License\&.
|
|
.SH "SEE ALSO"
|
|
.sp
|
|
\fBansible\fR(1), \fBansible\-pull\fR(1), \fBansible\-doc\fR(1)
|
|
.sp
|
|
Extensive documentation is available in the documentation site: http://docs\&.ansible\&.com\&. IRC and mailing list info can be found in file CONTRIBUTING\&.md, available in: https://github\&.com/ansible/ansible
|