mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-25 21:44:00 -07:00 
			
		
		
		
	
		
			
				
	
	
		
			155 lines
		
	
	
	
		
			4.9 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
			
		
		
	
	
			155 lines
		
	
	
	
		
			4.9 KiB
		
	
	
	
		
			Text
		
	
	
	
	
	
| ansible-vault(1)
 | ||
| ================
 | ||
| :doctype:      manpage
 | ||
| :man source:   Ansible
 | ||
| :man version:  %VERSION%
 | ||
| :man manual:   System administration commands
 | ||
| 
 | ||
| NAME
 | ||
| ----
 | ||
| ansible-vault - manage encrypted ansible vars files (YAML).
 | ||
| 
 | ||
| 
 | ||
| SYNOPSIS
 | ||
| --------
 | ||
| ansible-vault [create|decrypt|edit|encrypt|rekey] [--help] [options] file_name
 | ||
| 
 | ||
| 
 | ||
| DESCRIPTION
 | ||
| -----------
 | ||
| 
 | ||
| *ansible-vault* can encrypt any structured data file used by Ansible.
 | ||
| This can include *group_vars/* or *host_vars/* inventory variables,
 | ||
| variables loaded by *include_vars* or *vars_files*, or variable files
 | ||
| passed on the ansible-playbook command line with *-e @file.yml* or *-e @file.json*.
 | ||
| Role variables and defaults are also included!
 | ||
| 
 | ||
| Because Ansible tasks, handlers, and so on are also data, these can also be encrypted with vault.
 | ||
| If you’d like to not betray what variables you are even using, you can go as far to keep an individual task file entirely encrypted.
 | ||
| 
 | ||
| The password used with vault currently must be the same for all files you wish to use together at the same time.
 | ||
| 
 | ||
| COMMON OPTIONS
 | ||
| --------------
 | ||
| 
 | ||
| The following options are available to all sub-commands:
 | ||
| 
 | ||
| *--vault-password-file=*'FILE'::
 | ||
| 
 | ||
| A file containing the vault password to be used during the encryption/decryption
 | ||
| steps. Be sure to keep this file secured if it is used. If the file is executable,
 | ||
| it will be run and its standard output will be used as the password.
 | ||
| 
 | ||
| *--new-vault-password-file=*'FILE'::
 | ||
| 
 | ||
| A file containing the new vault password to be used when rekeying a
 | ||
| file. Be sure to keep this file secured if it is used. If the file
 | ||
| is executable, it will be run and its standard output will be used as
 | ||
| the password.
 | ||
| 
 | ||
| *-h*, *--help*::
 | ||
| 
 | ||
| Show a help message related to the given sub-command.
 | ||
| 
 | ||
| 
 | ||
| If '--vault-password-file' is not supplied ansible-vault will automatically prompt for passwords as required.
 | ||
| 
 | ||
| 
 | ||
| CREATE
 | ||
| ------
 | ||
| 
 | ||
| *$ ansible-vault create [options] FILE*
 | ||
| 
 | ||
| The *create* sub-command is used to initialize a new encrypted file.
 | ||
| 
 | ||
| After providing a password, the tool will launch whatever editor you have defined
 | ||
| with $EDITOR, and defaults to vi. Once you are done with the editor session, the
 | ||
| file will be saved as encrypted data.
 | ||
| 
 | ||
| The default cipher is AES (which is shared-secret based).
 | ||
| 
 | ||
| EDIT
 | ||
| ----
 | ||
| 
 | ||
| *$ ansible-vault edit [options] FILE*
 | ||
| 
 | ||
| The *edit* sub-command is used to modify a file which was previously encrypted using ansible-vault.
 | ||
| 
 | ||
| This command will decrypt the file to a temporary file and allow you to edit the file,
 | ||
| saving it back when done and removing the temporary file.
 | ||
| 
 | ||
| 
 | ||
| REKEY
 | ||
| -----
 | ||
| 
 | ||
| *$ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]*
 | ||
| 
 | ||
| The *rekey* command is used to change the password on a vault-encrypted files.
 | ||
| This command can update multiple files at once.
 | ||
| 
 | ||
| 
 | ||
| ENCRYPT
 | ||
| -------
 | ||
| 
 | ||
| *$ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]*
 | ||
| 
 | ||
| The *encrypt* sub-command is used to encrypt pre-existing data files.
 | ||
| As with the *rekey* command, you can specify multiple files in one command.
 | ||
| 
 | ||
| The *encrypt* command accepts an *--output FILENAME* option to determine where
 | ||
| encrypted output is stored. With this option, input is read from the (at most one)
 | ||
| filename given on the command line; if no input file is given, input is read from stdin.
 | ||
| Either the input or the output file may be given as '-' for stdin and stdout respectively.
 | ||
| If neither input nor output file is given, the command acts as a filter,
 | ||
| reading plaintext from stdin and writing it to stdout.
 | ||
| 
 | ||
| Thus any of the following invocations can be used:
 | ||
| 
 | ||
| *$ ansible-vault encrypt*
 | ||
| 
 | ||
| *$ ansible-vault encrypt --output OUTFILE*
 | ||
| 
 | ||
| *$ ansible-vault encrypt INFILE --output OUTFILE*
 | ||
| 
 | ||
| *$ echo secret|ansible-vault encrypt --output OUTFILE*
 | ||
| 
 | ||
| Reading from stdin and writing only encrypted output is a good way to prevent
 | ||
| sensitive data from ever hitting disk (either interactively or from a script).
 | ||
| 
 | ||
| DECRYPT
 | ||
| -------
 | ||
| 
 | ||
| *$ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]*
 | ||
| 
 | ||
| The *decrypt* sub-command is used to remove all encryption from data files.
 | ||
| The files will be stored as plain-text YAML once again, so be sure that you do not run this
 | ||
| command on data files with active passwords or other sensitive data.
 | ||
| In most cases, users will want to use the *edit* sub-command to modify the files securely.
 | ||
| 
 | ||
| As with *encrypt*, the *decrypt* subcommand also accepts the *--output FILENAME*
 | ||
| option to specify where plaintext output is stored, and stdin/stdout is handled
 | ||
| as described above.
 | ||
| 
 | ||
| AUTHOR
 | ||
| ------
 | ||
| 
 | ||
| Ansible was originally written by Michael DeHaan. See the AUTHORS file
 | ||
| for a complete list of contributors.
 | ||
| 
 | ||
| 
 | ||
| COPYRIGHT
 | ||
| ---------
 | ||
| 
 | ||
| Copyright © 2014, Michael DeHaan
 | ||
| 
 | ||
| Ansible is released under the terms of the GPLv3 License.
 | ||
| 
 | ||
| 
 | ||
| SEE ALSO
 | ||
| --------
 | ||
| 
 | ||
| *ansible*(1), *ansible-pull*(1), *ansible-doc*(1), *ansible-playbook*(1), *ansible-galaxy*(1)
 | ||
| 
 | ||
| Extensive documentation is available in the documentation site:
 | ||
| <http://docs.ansible.com>. IRC and mailing list info can be found
 | ||
| in file CONTRIBUTING.md, available in: <https://github.com/ansible/ansible>
 |