e0573d3099
fixes #15577
155 lines
4.9 KiB
Text
155 lines
4.9 KiB
Text
ansible-vault(1)
|
||
================
|
||
:doctype: manpage
|
||
:man source: Ansible
|
||
:man version: %VERSION%
|
||
:man manual: System administration commands
|
||
|
||
NAME
|
||
----
|
||
ansible-vault - manage encrypted ansible vars files (YAML).
|
||
|
||
|
||
SYNOPSIS
|
||
--------
|
||
ansible-vault [create|decrypt|edit|encrypt|rekey] [--help] [options] file_name
|
||
|
||
|
||
DESCRIPTION
|
||
-----------
|
||
|
||
*ansible-vault* can encrypt any structured data file used by Ansible.
|
||
This can include *group_vars/* or *host_vars/* inventory variables,
|
||
variables loaded by *include_vars* or *vars_files*, or variable files
|
||
passed on the ansible-playbook command line with *-e @file.yml* or *-e @file.json*.
|
||
Role variables and defaults are also included!
|
||
|
||
Because Ansible tasks, handlers, and so on are also data, these can also be encrypted with vault.
|
||
If you’d like to not betray what variables you are even using, you can go as far to keep an individual task file entirely encrypted.
|
||
|
||
The password used with vault currently must be the same for all files you wish to use together at the same time.
|
||
|
||
COMMON OPTIONS
|
||
--------------
|
||
|
||
The following options are available to all sub-commands:
|
||
|
||
*--vault-password-file=*'FILE'::
|
||
|
||
A file containing the vault password to be used during the encryption/decryption
|
||
steps. Be sure to keep this file secured if it is used. If the file is executable,
|
||
it will be run and its standard output will be used as the password.
|
||
|
||
*--new-vault-password-file=*'FILE'::
|
||
|
||
A file containing the new vault password to be used when rekeying a
|
||
file. Be sure to keep this file secured if it is used. If the file
|
||
is executable, it will be run and its standard output will be used as
|
||
the password.
|
||
|
||
*-h*, *--help*::
|
||
|
||
Show a help message related to the given sub-command.
|
||
|
||
|
||
If '--valut-password-file' is not supplied ansib-vault will automatically prompt for passwords as required.
|
||
|
||
|
||
CREATE
|
||
------
|
||
|
||
*$ ansible-vault create [options] FILE*
|
||
|
||
The *create* sub-command is used to initialize a new encrypted file.
|
||
|
||
After providing a password, the tool will launch whatever editor you have defined
|
||
with $EDITOR, and defaults to vi. Once you are done with the editor session, the
|
||
file will be saved as encrypted data.
|
||
|
||
The default cipher is AES (which is shared-secret based).
|
||
|
||
EDIT
|
||
----
|
||
|
||
*$ ansible-vault edit [options] FILE*
|
||
|
||
The *edit* sub-command is used to modify a file which was previously encrypted using ansible-vault.
|
||
|
||
This command will decrypt the file to a temporary file and allow you to edit the file,
|
||
saving it back when done and removing the temporary file.
|
||
|
||
|
||
REKEY
|
||
-----
|
||
|
||
*$ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]*
|
||
|
||
The *rekey* command is used to change the password on a vault-encrypted files.
|
||
This command can update multiple files at once.
|
||
|
||
|
||
ENCRYPT
|
||
-------
|
||
|
||
*$ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]*
|
||
|
||
The *encrypt* sub-command is used to encrypt pre-existing data files.
|
||
As with the *rekey* command, you can specify multiple files in one command.
|
||
|
||
The *encrypt* command accepts an *--output FILENAME* option to determine where
|
||
encrypted output is stored. With this option, input is read from the (at most one)
|
||
filename given on the command line; if no input file is given, input is read from stdin.
|
||
Either the input or the output file may be given as '-' for stdin and stdout respectively.
|
||
If neither input nor output file is given, the command acts as a filter,
|
||
reading plaintext from stdin and writing it to stdout.
|
||
|
||
Thus any of the following invocations can be used:
|
||
|
||
*$ ansible-vault encrypt*
|
||
|
||
*$ ansible-vault encrypt --output OUTFILE*
|
||
|
||
*$ ansible-vault encrypt INFILE --output OUTFILE*
|
||
|
||
*$ echo secret|ansible-vault encrypt --output OUTFILE*
|
||
|
||
Reading from stdin and writing only encrypted output is a good way to prevent
|
||
sensitive data from ever hitting disk (either interactively or from a script).
|
||
|
||
DECRYPT
|
||
-------
|
||
|
||
*$ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]*
|
||
|
||
The *decrypt* sub-command is used to remove all encryption from data files.
|
||
The files will be stored as plain-text YAML once again, so be sure that you do not run this
|
||
command on data files with active passwords or other sensitive data.
|
||
In most cases, users will want to use the *edit* sub-command to modify the files securely.
|
||
|
||
As with *encrypt*, the *decrypt* subcommand also accepts the *--output FILENAME*
|
||
option to specify where plaintext output is stored, and stdin/stdout is handled
|
||
as described above.
|
||
|
||
AUTHOR
|
||
------
|
||
|
||
Ansible was originally written by Michael DeHaan. See the AUTHORS file
|
||
for a complete list of contributors.
|
||
|
||
|
||
COPYRIGHT
|
||
---------
|
||
|
||
Copyright © 2014, Michael DeHaan
|
||
|
||
Ansible is released under the terms of the GPLv3 License.
|
||
|
||
|
||
SEE ALSO
|
||
--------
|
||
|
||
*ansible*(1), *ansible-pull*(1), *ansible-doc*(1), *ansible-playbook*(1), *ansible-galaxy*(1)
|
||
|
||
Extensive documentation is available in the documentation site:
|
||
<http://docs.ansible.com>. IRC and mailing list info can be found
|
||
in file CONTRIBUTING.md, available in: <https://github.com/ansible/ansible>
|