ansible-vault(1)

1ANSIBLE-VAULT(1)        System administration commands        ANSIBLE-VAULT(1)
2
3
4

NAME

6       ansible-vault - encryption/decryption utility for Ansible data files
7

SYNOPSIS

9       usage: ansible-vault [-h] [--version] [-v]
10              {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ...
11

DESCRIPTION

13       can encrypt any structured data file used by Ansible.  This can include
14       group_vars/ or host_vars/ inventory variables, variables loaded by  in‐
15       clude_vars or vars_files, or variable files passed on the ansible-play‐
16       book command line with -e @file.yml or -e @file.json.   Role  variables
17       and defaults are also included!
18
19       Because  Ansible tasks, handlers, and other objects are data, these can
20       also be encrypted with vault.  If you'd like to not expose  what  vari‐
21       ables  you are using, you can keep an individual task file entirely en‐
22       crypted.
23

COMMON OPTIONS

25       --version
26          show program's version number, config file location, configured mod‐
27          ule search path, module location, executable location and exit
28
29       -h, --help
30          show this help message and exit
31
32       -v, --verbose
33          verbose mode (-vvv for more, -vvvv to enable connection debugging)
34

ACTIONS

36       create create  and open a file in an editor that will be encrypted with
37              the provided vault secret when closed
38
39              --ask-vault-password,   --ask-vault-pass
40                 ask for vault password
41
42              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
43                 the vault id used to  encrypt  (required  if  more  than  one
44                 vault-id is provided)
45
46              --vault-id
47                 the vault identity to use
48
49              --vault-password-file,   --vault-pass-file
50                 vault password file
51
52       decrypt
53              decrypt the supplied file using the provided vault secret
54
55              --ask-vault-password,   --ask-vault-pass
56                 ask for vault password
57
58              --output 'OUTPUT_FILE'
59                 output file name for encrypt or decrypt; use - for stdout
60
61              --vault-id
62                 the vault identity to use
63
64              --vault-password-file,   --vault-pass-file
65                 vault password file
66
67       edit   open  and  decrypt  an  existing vaulted file in an editor, that
68              will be encrypted again when closed
69
70              --ask-vault-password,   --ask-vault-pass
71                 ask for vault password
72
73              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
74                 the vault id used to  encrypt  (required  if  more  than  one
75                 vault-id is provided)
76
77              --vault-id
78                 the vault identity to use
79
80              --vault-password-file,   --vault-pass-file
81                 vault password file
82
83       view   open,  decrypt  and  view an existing vaulted file using a pager
84              using the supplied vault secret
85
86              --ask-vault-password,   --ask-vault-pass
87                 ask for vault password
88
89              --vault-id
90                 the vault identity to use
91
92              --vault-password-file,   --vault-pass-file
93                 vault password file
94
95       encrypt
96              encrypt the supplied file using the provided vault secret
97
98              --ask-vault-password,   --ask-vault-pass
99                 ask for vault password
100
101              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
102                 the vault id used to  encrypt  (required  if  more  than  one
103                 vault-id is provided)
104
105              --output 'OUTPUT_FILE'
106                 output file name for encrypt or decrypt; use - for stdout
107
108              --vault-id
109                 the vault identity to use
110
111              --vault-password-file,   --vault-pass-file
112                 vault password file
113
114       encrypt_string
115              encrypt the supplied string using the provided vault secret
116
117              --ask-vault-password,   --ask-vault-pass
118                 ask for vault password
119
120              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
121                 the  vault  id  used  to  encrypt  (required if more than one
122                 vault-id is provided)
123
124              --output 'OUTPUT_FILE'
125                 output file name for encrypt or decrypt; use - for stdout
126
127              --show-input
128                 Do not hide input when prompted for the string to encrypt
129
130              --stdin-name 'ENCRYPT_STRING_STDIN_NAME'
131                 Specify the variable name for stdin
132
133              --vault-id
134                 the vault identity to use
135
136              --vault-password-file,   --vault-pass-file
137                 vault password file
138
139              -n,   --name
140                 Specify the variable name
141
142              -p,   --prompt
143                 Prompt for the string to encrypt
144
145       rekey  re-encrypt a vaulted file with a new secret, the previous secret
146              is required
147
148              --ask-vault-password,   --ask-vault-pass
149                 ask for vault password
150
151              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
152                 the  vault  id  used  to  encrypt  (required if more than one
153                 vault-id is provided)
154
155              --new-vault-id 'NEW_VAULT_ID'
156                 the new vault identity to use for rekey
157
158              --new-vault-password-file 'NEW_VAULT_PASSWORD_FILE'
159                 new vault password file for rekey
160
161              --vault-id
162                 the vault identity to use
163
164              --vault-password-file,   --vault-pass-file
165                 vault password file
166

ENVIRONMENT

168       The following environment variables may be specified.
169
170       ANSIBLE_CONFIG -- Specify override location for the ansible config file
171
172       Many more are available for most options in ansible.cfg
173
174       For a full list  check  https://docs.ansible.com/.  or  use  the  ansi‐
175       ble-config command.
176

FILES

178       /etc/ansible/ansible.cfg -- Config file, used if present
179
180       ~/.ansible.cfg  --  User  config  file, overrides the default config if
181       present
182
183       ./ansible.cfg -- Local config file (in current working  directory)  as‐
184       sumed to be 'project specific' and overrides the rest if present.
185
186       As  mentioned above, the ANSIBLE_CONFIG environment variable will over‐
187       ride all others.
188

AUTHOR

190       Ansible was originally written by Michael DeHaan.
191

COPYRIGHT

193       Copyright © 2018 Red Hat, Inc | Ansible.  Ansible is released under the
194       terms of the GPLv3 license.
195