Ansible vault

• Ansible docs: User Guide: Vault
• Ansible vault guide: Protecting sensitive data with Ansible vault
  • Encrypting content with Ansible Vault
• Use sops: Community.Sops

Include encrypted variables into plaintext variable files

https://docs.ansible.com/ansible/2.5/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml

• mikefarah/yq: Support ansible vault

Encrypt

Encrypting files

• Encrypting files with Ansible Vault Encrypt existing file:

ansible-vault encrypt foo.yml

Encrypting individual variables

• Encrypting individual variables

ansible-vault encrypt_string --vault-id a_password_file 'foobar' --name 'the_secret'

Don't use quotes ('") ori backtickts (`) in passwords, this is asking for trouble in badly written scripts/software!

ansible-vault encrypt_string "$(pwgen -ys 24 -r "\`\"'" -1)" --name 'borgbackup_passphrase' >> host_vars/illapa.digital

To be on the safe side, don't use special chars at all:

ansible-vault encrypt_string "$(pwgen  24)" --name 'borgbackup_passphrase' >> host_vars/illapa.digital

Decrypt

To view encrypted variables:

ansible host.name.tld -m debug -a 'var=mariadb_nextcloud_db_pw'