1ANSIBLE-VAULT(1) System administration commands ANSIBLE-VAULT(1)
2
3
4
6 ansible-vault - encryption/decryption utility for Ansible data files
7
9 usage: ansible-vault [-h] [--version] [-v]
10 {create,decrypt,edit,view,encrypt,encrypt_string,rekey}
11
13 can encrypt any structured data file used by Ansible. This can include
14 group_vars/ or host_vars/ inventory variables, variables loaded by
15 include_vars or vars_files, or variable files passed on the ansi‐
16 ble-playbook command line with -e @file.yml or -e @file.json. Role
17 variables and defaults are also included!
18
19 Because Ansible tasks, handlers, and other objects are data, these can
20 also be encrypted with vault. If you'd like to not expose what vari‐
21 ables you are using, you can keep an individual task file entirely
22 encrypted.
23
25 --version
26 show program's version number, config file location, configured mod‐
27 ule search path, module location, executable location and exit
28
29 -h, --help
30 show this help message and exit
31
32 -v, --verbose
33 verbose mode (-vvv for more, -vvvv to enable connection debugging)
34
36 create create and open a file in an editor that will be encrypted with
37 the provided vault secret when closed
38
39 --ask-vault-pass
40 ask for vault password
41
42 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
43 the vault id used to encrypt (required if more than vault-id
44 is provided)
45
46 --vault-id
47 the vault identity to use
48
49 --vault-password-file
50 vault password file
51
52 decrypt
53 decrypt the supplied file using the provided vault secret
54
55 --ask-vault-pass
56 ask for vault password
57
58 --output 'OUTPUT_FILE'
59 output file name for encrypt or decrypt; use - for stdout
60
61 --vault-id
62 the vault identity to use
63
64 --vault-password-file
65 vault password file
66
67 edit open and decrypt an existing vaulted file in an editor, that
68 will be encrypted again when closed
69
70 --ask-vault-pass
71 ask for vault password
72
73 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
74 the vault id used to encrypt (required if more than vault-id
75 is provided)
76
77 --vault-id
78 the vault identity to use
79
80 --vault-password-file
81 vault password file
82
83 view open, decrypt and view an existing vaulted file using a pager
84 using the supplied vault secret
85
86 --ask-vault-pass
87 ask for vault password
88
89 --vault-id
90 the vault identity to use
91
92 --vault-password-file
93 vault password file
94
95 encrypt
96 encrypt the supplied file using the provided vault secret
97
98 --ask-vault-pass
99 ask for vault password
100
101 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
102 the vault id used to encrypt (required if more than vault-id
103 is provided)
104
105 --output 'OUTPUT_FILE'
106 output file name for encrypt or decrypt; use - for stdout
107
108 --vault-id
109 the vault identity to use
110
111 --vault-password-file
112 vault password file
113
114 encrypt_string
115 encrypt the supplied string using the provided vault secret
116
117 --ask-vault-pass
118 ask for vault password
119
120 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
121 the vault id used to encrypt (required if more than vault-id
122 is provided)
123
124 --output 'OUTPUT_FILE'
125 output file name for encrypt or decrypt; use - for stdout
126
127 --stdin-name 'ENCRYPT_STRING_STDIN_NAME'
128 Specify the variable name for stdin
129
130 --vault-id
131 the vault identity to use
132
133 --vault-password-file
134 vault password file
135
136 -n, --name
137 Specify the variable name
138
139 -p, --prompt
140 Prompt for the string to encrypt
141
142 rekey re-encrypt a vaulted file with a new secret, the previous secret
143 is required
144
145 --ask-vault-pass
146 ask for vault password
147
148 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
149 the vault id used to encrypt (required if more than vault-id
150 is provided)
151
152 --new-vault-id 'NEW_VAULT_ID'
153 the new vault identity to use for rekey
154
155 --new-vault-password-file 'NEW_VAULT_PASSWORD_FILE'
156 new vault password file for rekey
157
158 --vault-id
159 the vault identity to use
160
161 --vault-password-file
162 vault password file
163
165 The following environment variables may be specified.
166
167 ANSIBLE_CONFIG -- Specify override location for the ansible config file
168
169 Many more are available for most options in ansible.cfg
170
171 For a full list check https://docs.ansible.com/. or use the ansi‐
172 ble-config command.
173
175 /etc/ansible/ansible.cfg -- Config file, used if present
176
177 ~/.ansible.cfg -- User config file, overrides the default config if
178 present
179
180 ./ansible.cfg -- Local config file (in current working directory)
181 assumed to be 'project specific' and overrides the rest if present.
182
183 As mentioned above, the ANSIBLE_CONFIG environment variable will over‐
184 ride all others.
185
187 Ansible was originally written by Michael DeHaan.
188
190 Copyright © 2018 Red Hat, Inc | Ansible. Ansible is released under the
191 terms of the GPLv3 license.
192
194 ansible [22m(1), ansible-config (1), ansible-console (1), ansible-doc (1),
195 ansible-galaxy (1), ansible-inventory (1), ansible-playbook (1), ansi‐
196 ble-pull (1),
197
198 Extensive documentation is available in the documentation site: <‐
199 https://docs.ansible.com>. IRC and mailing list info can be found in
200 file CONTRIBUTING.md, available in: <‐
201 https://github.com/ansible/ansible>
202
203
204
205
206Ansible 2.9.18 ANSIBLE-VAULT(1)