Please enable JavaScript.
Coggle requires JavaScript to display documents.
Phase 13 — ANSIBLE VAULT (Enterprise Linux) - Coggle Diagram
Phase 13 — ANSIBLE VAULT (Enterprise Linux)
Ansible Vault
Purpose
Protect sensitive information in Ansible
Encrypt files using AES encryption
Prevent passwords, API keys, SSH keys, and certificates from being stored in plain text
Secure infrastructure as code
Meet enterprise security and compliance requirements
Safe for Git repositories because encrypted files can be committed
Why Enterprise Uses Ansible Vault
Protect production credentials
Protect database passwords
Protect cloud API keys
Protect SSL private keys
Protect service account passwords
Protect LDAP credentials
Protect Active Directory credentials
Protect SNMP community strings
Protect SMTP passwords
Protect Kubernetes secrets
Protect application secrets
Support compliance requirements
ISO 27001
PCI DSS
HIPAA
SOC 2
NIST
How Ansible Vault Works
Plain Text File
YAML file containing secrets
Encryption
ansible-vault encrypt
Encrypted File
Readable only with Vault Password
Decryption
Temporary during playbook execution
Playbook Uses Secret
Secret is loaded into memory
File Remains Encrypted
Disk copy never becomes plain text unless intentionally decrypted
Encryption Algorithm
AES 256 encryption
Password Based Encryption
Secure Hash Verification
Salted Encryption
Integrity Protection
Default File Header
$ANSIBLE_VAULT
Vault Version
Encryption Method
Encrypted Data
Enterprise Directory Structure
ansible-project
ansible.cfg
inventory
production
hosts.ini
group_vars
host_vars
playbooks
roles
files
templates
vault
secret.yml
database.yml
aws.yml
azure.yml
gcp.yml
ldap.yml
smtp.yml
certificates.yml
logs
Vault Commands
Create Encrypted File
ansible-vault create secret.yml
Creates a new encrypted YAML file
Edit Encrypted File
ansible-vault edit secret.yml
Opens encrypted file
Decrypts temporarily
Saves encrypted again automatically
Encrypt Existing File
ansible-vault encrypt secret.yml
Decrypt File
ansible-vault decrypt secret.yml
File becomes plain text
Usually avoided in enterprise
View File Without Decrypting
ansible-vault view secret.yml
Change Vault Password
ansible-vault rekey secret.yml
Encrypt String
ansible-vault encrypt_string 'MyPassword123'
Generate encrypted variable
Useful for one secret inside normal YAML
Encrypt Multiple Files
ansible-vault encrypt database.yml ldap.yml smtp.yml
Decrypt Multiple Files
ansible-vault decrypt database.yml ldap.yml smtp.yml
Rekey Multiple Files
ansible-vault rekey vault
Vault Password Options
Interactive Password Prompt
ansible-playbook site.yml --ask-vault-pass
Password File
ansible-playbook site.yml --vault-password-file vault.pass
Environment Variable Script
Password obtained securely
No manual typing
External Password Manager
HashiCorp Vault
CyberArk
Azure Key Vault
AWS Secrets Manager
Vault Password File
Purpose
Store Vault password in file
Avoid typing password repeatedly
Example Location
vault.pass
Secure Permissions
chmod 600 vault.pass
Ownership
chown ansible:ansible vault.pass
Never Store Inside Public Git Repository
File Permissions
Secret Files
chmod 600 secret.yml
Vault Password File
chmod 600 vault.pass
Owner
ansible automation account
Group
automation team if required
Typical Secret YAML
database_username
database_password
mysql_root_password
postgres_password
ldap_password
smtp_password
aws_access_key
aws_secret_key
azure_client_secret
gcp_service_account
api_token
ssl_private_key
Using Vault in Playbooks
vars_files
Include encrypted YAML file
Variable Access
Use variables normally
Ansible decrypts automatically
Example Flow
Playbook
Load vars_files
Vault
Decrypt in memory
Task
Uses password
Finish
Memory cleared
File remains encrypted
Using Vault with Roles
roles
mysql
defaults
vars
tasks
handlers
apache
defaults
vars
tasks
Store Secrets
group_vars
host_vars
vault
role vars
Group Variables
group_vars
production
vault.yml
Stores
Shared passwords
Shared API keys
Shared certificates
Host Variables
host_vars
db01.yml
web01.yml
Stores
Host specific passwords
Host specific certificates
Encrypt Individual Variables
ansible-vault encrypt_string
Benefits
Encrypt one variable
Rest of file remains readable
Easier code review
Enterprise Secret Categories
Linux Passwords
Windows Passwords
Database Credentials
LDAP Credentials
Active Directory Passwords
SSH Keys
SSL Certificates
VPN Credentials
Kubernetes Secrets
Docker Registry Credentials
Cloud Credentials
Email Credentials
Monitoring Credentials
Backup Credentials
SIEM Credentials
Firewall Passwords
Network Device Passwords
Integration with Inventory
Inventory
hosts.ini
group_vars
all.yml
production.yml
vault.yml
host_vars
db01.yml
web01.yml
Secrets loaded automatically
Integration with CI CD
Jenkins
GitLab CI
GitHub Actions
Azure DevOps
Pipeline
Retrieve Vault Password
Run Playbook
Decrypt in Memory
Complete Deployment
Git Best Practices
Commit encrypted files
Never commit decrypted secrets
Never commit vault password file
Add vault.pass to .gitignore
Rotate secrets regularly
Audit secret changes
Secret Rotation
Regular password changes
Rekey Vault password
Rotate API keys
Rotate SSH keys
Rotate SSL certificates
Rotate database passwords
Security Best Practices
Principle of Least Privilege
Encrypt every sensitive file
Separate secrets from playbooks
Use dedicated Vault directory
Restrict file permissions
Use separate Vault passwords for environments
Rotate Vault passwords
Backup encrypted files
Audit Vault usage
Never share Vault password over email or chat
Never hardcode passwords
Never expose secrets in logs
Use no_log true for sensitive tasks
Store Vault password securely
Use enterprise secret managers where available
Common Enterprise Vault Layout
ansible
ansible.cfg
inventory
production
hosts.ini
group_vars
all.yml
vault.yml
host_vars
db01.yml
web01.yml
playbooks
site.yml
patch.yml
backup.yml
roles
templates
files
vault
database.yml
linux.yml
network.yml
aws.yml
azure.yml
smtp.yml
ldap.yml
certificates.yml
logs
vault.pass
Common Enterprise Commands
ansible-vault create secret.yml
ansible-vault edit secret.yml
ansible-vault view secret.yml
ansible-vault encrypt secret.yml
ansible-vault decrypt secret.yml
ansible-vault rekey secret.yml
ansible-vault encrypt database.yml ldap.yml smtp.yml
ansible-vault decrypt database.yml ldap.yml smtp.yml
ansible-vault encrypt_string 'Password123'
ansible-playbook site.yml --ask-vault-pass
ansible-playbook site.yml --vault-password-file vault.pass
chmod 600 vault.pass
chmod 600 secret.yml
chown ansible:ansible vault.pass
Enterprise Interview Questions
What is Ansible Vault
Why use Ansible Vault
Difference between encrypt and encrypt_string
Difference between create and edit
Difference between view and decrypt
What is rekey
Where should Vault files be stored
Why should vault.pass never be committed to Git
How are secrets loaded during playbook execution
How do you protect Vault password files
What are enterprise best practices for secret management
How does Ansible Vault integrate with CI CD pipelines