Ansible Configuring Vault Encryption

Last Update:2018-10-12 Source: Internet

Author: User

Tags ansible vault rekey

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

There are two more secure ways to store this type of data:
The 1.ansible command-line tool Ansible-vault can encrypt and decrypt files used by any ansible.
2. Use a third-party key Management service to store data.

Ansible-vault can create, edit, encrypt, decrypt, and view files. Ansible Vault can encrypt any ansible used file, contains inventory variables, playbook variable files that are called in, pass parameters to playbook variable files, ansible-roles defined variable files.

Ansible Vault uses the encryption that is implemented by the external Python tool. The file is encrypted using AES256, and you need to provide a password as the encryption key.

#交互式 [[email protected] ansible]# ansible-vault create test.yml #创建加密文件New vault password:confirm New Vault PASSW Ord:[[email protected] ansible]# cat test.yml $ANSIBLE _vault;1.1; AES2563532313239663938613239313237366332666431646633386366613662366133386366636563393831343562613962333235326337323862353 43463656334300a3838623234356131323663306661343761306561383363383263356565313364333431343937333966393465343738353665343065 61663435323165623962640a3839333937386133303963343234383039656336663435313362366264313866[[email protected ] ansible]# ansible-vault View test.yml #查看加密文件Vault Password:---[[email protected] ansible]# ansible-vault E DIT test.yml #编辑加密文件Vault Password: #非交互式 [[email protected] ansible]# echo redhat >> vault.pass[[email&nb Sp;protected] ansible]# ansible-vault create test2.yml--vault-password-file=vault.pass[[email protected] ansible]# ansible-vault rekey test2.yml--vault-password-file=vault.passnew Vault password:confirm NEW Vault Password:rekey successful# Encrypt an existing Yaml file [[email protected] ansible]# Ansible-vault Encrypt Del-local.ymlnew Vault password:confirm New Vault password:encryption successful[[email protected] ansible]# cat D el-local.yml$ansible_vault;1.1; AES2563264666430633238356461323737323132326238663033633031383935316438646263383137636263643061303561316430393665616630656 33831343630340a6231333831323133313232313737343564343563313962613166383762626635313930323639653234343438613330396266616566 33303637616461336364650a3339383435393230636433643833346533613936616432336361336333636538653762353631346634326333303464363 6376562373562663535363537396430653062656137626164656236333330363038316132383939393635636631376638303864613838653239653937 3266396233363833666561383235646236343930396533636131643035636437343766326633316336326162303430303864623965373837303165663 9656638346138376664656130393630393935383833666634393363316538323137303464363265383562666161306461623664303332346662363439 3432316565333661373635663565396436363864636438336561323061373566666362613432393963363635353634333963373363383264356633656637623131373865353 1643234336436306139353363303936346164633139303233353539333966656235323163326630646334616636623330616236343035353935336431 6364346661393465316432306439333936343735623031616165623333353639363630376333646338363063393739333233363062666630323964353 4323162303765303033613363666465663133313435336135663532616436386332353766353433626366326361323432333535313162323863393332 6330643263303032326233323362303533306262626135633832626264326264316231396139383466336538343664383066633936353966353663303 0313038356563396630653364653936393163616130386638313166346265613834626538643961356139363563616666383539313234653166663334 3439396464326538323962663232386361316534653966353866323834653930653263326134383731653337626437663736653762343731616333363 2383364356539336665366432393765366665633737643937373133383961666330633531383235326636363139323131616365326434356239613766 30386562613533363039376261# decrypts an alreadyencrypted files [[email protected] ansible]# ansible-vault decrypt del-local.yml--output=del-local-1.ymlvault Password: Decryption successful[[email protected] ansible]# cat del-local-1.yml-name:dele to local hosts:172.16.216.181 t asks:-Command:ps register:a_ps changed_when:false-debug:msg: "{{a_ps.stdout}}"-Local _action:command PS #command: ps #delegate_to: localhost register:local_ps changed_when:false-d Ebug:msg: "{{local_ps.stdout}}" [[[email protected] ansible]# cat del-local.yml $ANSIBLE _vault;1.1; AES2563264666430633238356461323737323132326238663033633031383935316438646263383137636263643061303561316430393665616630656 33831343630340a6231333831323133313232313737343564343563313962613166383762626635313930323639653234343438613330396266616566 33303637616461336364650a3339383435393230636433643833346533613936616432336361336333636538653762353631346634326333303464363 63765623735626635353635373964306530626561376261646562363333303630383161323839393936356366313766383038646138386532396539373266396233363833666561383235646236343930396 5336361316430356364373437663266333163363261623034303038646239653738373031656639656638346138376664656130393630393935383833 6666343933633165383231373034643632653835626661613064616236643033323466623634393432316565333661373635663565396436363864636 4383365613230613735666663626134323939633636353536343339633733633832643566336566376231313738653531643234336436306139353363 3039363461646331393032333535393339666562353231633266306463346166366233306162363430353539353364316364346661393465316432306 4393339363437356230316161656233333536393636303763336463383630633937393332333630626666303239643534323162303765303033613363 6664656631333134353361356635326164363863323537663534336263663263613234323335353131623238633933326330643263303032326233323 3623035333062626261356338326262643262643162313961393834663365383436643830666339363539663536633030313038356563396630653364 653936393163616130386638313166346265613834626538643961356139363563616666383539313234653166663334343939646432653832396266323238636131653465396635386632383 4653930653263326134383731653337626437663736653762343731616333363238336435653933666536643239376536666563373764393737313338 396166633063353138323532663636313932313161636532643435623961376630386562613533363039376261

[[email protected] ansible]# cat j2.yml-name:test J2 hosts:all tasks:-Name:first Use template module Template:src:motd.j2 dest:/ETC/MOTD owner:root group:root mode:0644[[email& Nbsp;protected] ansible]# ansible-vault encrypt j2.ymlnew vault password:confirm New Vault password:encryption successfu L[[email protected] ansible]# ansible-playbook j2.yml--ask-vault-passvault password:play [test J2] ************* TASK [ Gathering Facts] *********************************************************************************************** OK: [172.16.216.181]ok: [172.16.216.182]task] [First use template module] ********************************* Changed: [172.16.216.182]changed: [172.16.216.181 ]play RECAP *******************************************************172.16.216.181:ok=2 changed=1 Unreachab Le=0 failed=0 172.16.216.182:ok=2 changed=1 unreachable=0 failed=0 [[email protected] A nsible]# ansible-playbook j2.yml--vault-password-file=vault.passplay [test J2] ************************************ TASK [Gathering Facts] ************ OK: [ 172.16.216.182]ok: [172.16.216.181]task [First Use template module] ************************************************ OK: [172.16.216.182]ok: [172.16.216.181]play RECAP ***************              172.16.216.181   : ok=2 changed=0 unreachable=0 failed=0 172.16.216.182          : ok=2 changed=0 unreachable=0 failed=0 #将密码文件设置成环境变量 [[email protected] ansible]# Vim/etc/profi Leexport ansible_vault_password_file=/etc/ansible/vault.pass[[email protected] ansible]#. /etc/profile[[email protected] ansible]# ansible-playbook j2.ymlplay [test J2] ******************************** TASK [Gathering Facts] ******** OK: [ 172.16.216.182]ok: [172.16.216.181]task [First Use template module] ************************************************ OK: [172.16.216.182]ok: [172.16.216.181]play RECAP ***************              172.16.216.181 : ok=2 changed=0 unreachable=0 failed=0 172.16.216.182:ok=2 ChAnged=0 unreachable=0 failed=0 [[email protected] ~]# yum install python2-cryptography #提高加密速度

Instance

[[email protected] ~]# ansible-vault Create secret.ymlnewusers:-Name:ansibleuser1 Pw:redhat-name:an Sibleuser2 PW: [email protected][[email protected] ansible]# cat create_users.yml-name:create user Accou NTS for all our servers hosts:client vars_files:-secret.yml tasks:-Name:create users User:name : "{{item.name}}" Password: "{{ITEM.PW | Password_hash (' sha512 ')}} "With_items:" {{newusers}} "[[email protected] ansible]# Ansible-playbook--syntax-c Heck--ask-vault-pass create_users.yml Vault password:playbook:create_users.yml[[email protected] ansible]# echo Redhat > vault.pass[[email protected] ansible]# chmod 0600 vault.pass [[email protected] ansible]# Ansible-playbook--syntax-check--vault-password-file=vault.pass create_users.yml playbook:create_users.yml [[email protected] ansible]# ansible-playbook--vault-password-file=vault.pass create_users.yml PLAY[Create user accounts for all servers] ************************************************************************** TASK [Gathering Facts] *********************************************************************************** OK: [172.16.216.182]ok: [172.16.216.181]task [Create users] ******************************** Changed: [172.16.216.182] = ( Item={u ' name ': U ' ansibleuser1 ', U ' pw ': U ' Redhat '}) changed: [172.16.216.181] = = (item={u ' name ': U ' ansibleuser1 ', U ' PW ': U ' Redhat '}) changed: [172.16.216.182] = (item={u ' name ': U ' ansibleuser2 ', U ' pw ': U ' [email protected] '}) Changed: [172.16.216.181] = (item={u ' name ': U ' ansibleuser2 ', U ' pw ': U ' [email protected] '}) PLAY RECAP ******** 172.16.216. 181:ok=2 changed=1 unreachable=0 failed=0 172.16.216.182:ok=2 changed=1 unreachable=0 failed=0 [[email protected] ansible]# ssh [email p Rotected][email protected] ' s password:the hostname is Ansible-client1.liuxplus.comtoday ' s date is 2018-10-11[[ Email protected] ~]$ exit logout connection to 172.16.216.181 closed. [[email protected] ansible]# ssh [email protected][email protected] ' s password:the hostname is Ansible-client2.linuxplust.comtoday ' s date is 2018-10-11[[email protected] ~]$ exit logout connection to 172.16.216.182 closed. [[email protected] ansible]# ssh [email protected][email protected] ' s password:the hostname is Ansible-client1.liuxplus.comtoday ' s date is 2018-10-11[[email protected] ~]$ exit logout connection to 172.16.216.181 Closed. [[email protected] ansible]# ssh [email protected][email protected] ' s password:the hostname is Ansible-client2.linuxplust.comtoday's date is 2018-10-11[[email protected] ~]$ exit logout connection to 172.16.216.182 closed.

Ansible Configuring Vault Encryption

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More