Ansible Automation routinely requires the use of sensitive values. You can use Ansible Vault to provide a way to encrypt and decrypt, and manage sensitive data such as passwords, certificates, keys, and API tokens

Encrypt the File

Step 1: Create the YAML file named prod.yaml

ansible-vault create prod.yaml

Step 2: After running the command, the terminal will prompt you to enter the password that will be used to encrypt the file

New Vault Password: 
Confirm New Vault Password:

Step 3: Ansible will open up the system editor to allow you to define the value that should be encrypted.

Username: Secret-Information-1
Password: Secret-Information-2

Step 4: Upon saving the file, Ansible will encrypt its content and place the output on disk

$ANSIBLE_VAULT;1.1;AES256
xxxxxxxxxxxxxxxxxxxxxx
yyyyyyyyyyyyyyyyyyyyyy

The file is now encrypted!

Decrypt the File

Run the following command in the terminal to validate that the variable definition file is decrypted and values are injected into the playbook.

ansible-playbook -i inventory --extra-vars "@prod.yml" --ask-vau;t-pass playbook-enc.yaml

The output of the playbook will show the content decrypted in the managed host

References:

• Red Hat Certified Engineer (RHCE) Ansible Automation Study Guide (Alexc Soto Bueno)