Vault

“ansible-vault encrypt_string”

  • asks for the password that will be supplied when invoking ansible
  • the string we want to encrypt that will be decrypted using the password
  • then we get in the output the hash that we can feed to the playbooks
root@ansible:~/ansible# ansible-vault encrypt_string
New Vault password: 
Confirm New Vault password: 
Reading plaintext input from stdin. (ctrl-d to end input)
toto!vault |
          $ANSIBLE_VAULT;1.1;AES256
          38643731663238336363393361336337313835623234656431643433613434333631316662396533
          3866626439376665646336626237623538386361373834330a373336333466366630666132666239
          38383538366366356164663161393034623835336264353333633433336230613063383336636564
          3733643939386563620a366263633834333566643438653462373166316438316332316366313534
          3534
Encryption successful

To use it:

ansible-playbook --ask-vault-pass -i production.yml myplay.yml --limit serverfqdn_or_group
ansible-playbook --vault-password-file /path/to/my/vault-password-file site.yml

Documentation: https://docs.ansible.com/ansible/latest/user_guide/vault.html