1ANSIBLE-VAULT(1) System administration commands ANSIBLE-VAULT(1)
2
3
4
6 ansible-vault - encryption/decryption utility for Ansible data files
7
9 usage: ansible-vault [-h] [--version] [-v]
10 {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ...
11
13 can encrypt any structured data file used by Ansible. This can include
14 group_vars/ or host_vars/ inventory variables, variables loaded by in‐
15 clude_vars or vars_files, or variable files passed on the ansible-play‐
16 book command line with -e @file.yml or -e @file.json. Role variables
17 and defaults are also included!
18
19 Because Ansible tasks, handlers, and other objects are data, these can
20 also be encrypted with vault. If you'd like to not expose what vari‐
21 ables you are using, you can keep an individual task file entirely en‐
22 crypted.
23
25 --version
26 show program's version number, config file location, configured mod‐
27 ule search path, module location, executable location and exit
28
29 -h, --help
30 show this help message and exit
31
32 -v, --verbose
33 Causes Ansible to print more debug messages. Adding multiple -v will
34 increase the verbosity, the builtin plugins currently evaluate up to
35 -vvvvvv. A reasonable level to start is -vvv, connection debugging
36 might require -vvvv.
37
39 create create and open a file in an editor that will be encrypted with
40 the provided vault secret when closed
41
42 --ask-vault-password, --ask-vault-pass
43 ask for vault password
44
45 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
46 the vault id used to encrypt (required if more than one
47 vault-id is provided)
48
49 --vault-id
50 the vault identity to use
51
52 --vault-password-file, --vault-pass-file
53 vault password file
54
55 decrypt
56 decrypt the supplied file using the provided vault secret
57
58 --ask-vault-password, --ask-vault-pass
59 ask for vault password
60
61 --output 'OUTPUT_FILE'
62 output file name for encrypt or decrypt; use - for stdout
63
64 --vault-id
65 the vault identity to use
66
67 --vault-password-file, --vault-pass-file
68 vault password file
69
70 edit open and decrypt an existing vaulted file in an editor, that
71 will be encrypted again when closed
72
73 --ask-vault-password, --ask-vault-pass
74 ask for vault password
75
76 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
77 the vault id used to encrypt (required if more than one
78 vault-id is provided)
79
80 --vault-id
81 the vault identity to use
82
83 --vault-password-file, --vault-pass-file
84 vault password file
85
86 view open, decrypt and view an existing vaulted file using a pager
87 using the supplied vault secret
88
89 --ask-vault-password, --ask-vault-pass
90 ask for vault password
91
92 --vault-id
93 the vault identity to use
94
95 --vault-password-file, --vault-pass-file
96 vault password file
97
98 encrypt
99 encrypt the supplied file using the provided vault secret
100
101 --ask-vault-password, --ask-vault-pass
102 ask for vault password
103
104 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
105 the vault id used to encrypt (required if more than one
106 vault-id is provided)
107
108 --output 'OUTPUT_FILE'
109 output file name for encrypt or decrypt; use - for stdout
110
111 --vault-id
112 the vault identity to use
113
114 --vault-password-file, --vault-pass-file
115 vault password file
116
117 encrypt_string
118 encrypt the supplied string using the provided vault secret
119
120 --ask-vault-password, --ask-vault-pass
121 ask for vault password
122
123 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
124 the vault id used to encrypt (required if more than one
125 vault-id is provided)
126
127 --output 'OUTPUT_FILE'
128 output file name for encrypt or decrypt; use - for stdout
129
130 --show-input
131 Do not hide input when prompted for the string to encrypt
132
133 --stdin-name 'ENCRYPT_STRING_STDIN_NAME'
134 Specify the variable name for stdin
135
136 --vault-id
137 the vault identity to use
138
139 --vault-password-file, --vault-pass-file
140 vault password file
141
142 -n, --name
143 Specify the variable name
144
145 -p, --prompt
146 Prompt for the string to encrypt
147
148 rekey re-encrypt a vaulted file with a new secret, the previous secret
149 is required
150
151 --ask-vault-password, --ask-vault-pass
152 ask for vault password
153
154 --encrypt-vault-id 'ENCRYPT_VAULT_ID'
155 the vault id used to encrypt (required if more than one
156 vault-id is provided)
157
158 --new-vault-id 'NEW_VAULT_ID'
159 the new vault identity to use for rekey
160
161 --new-vault-password-file 'NEW_VAULT_PASSWORD_FILE'
162 new vault password file for rekey
163
164 --vault-id
165 the vault identity to use
166
167 --vault-password-file, --vault-pass-file
168 vault password file
169
171 The following environment variables may be specified.
172
173 ANSIBLE_CONFIG -- Specify override location for the ansible config file
174
175 Many more are available for most options in ansible.cfg
176
177 For a full list check https://docs.ansible.com/. or use the ansi‐
178 ble-config command.
179
181 /etc/ansible/ansible.cfg -- Config file, used if present
182
183 ~/.ansible.cfg -- User config file, overrides the default config if
184 present
185
186 ./ansible.cfg -- Local config file (in current working directory) as‐
187 sumed to be 'project specific' and overrides the rest if present.
188
189 As mentioned above, the ANSIBLE_CONFIG environment variable will over‐
190 ride all others.
191
193 Ansible was originally written by Michael DeHaan.
194
196 Copyright © 2018 Red Hat, Inc | Ansible. Ansible is released under the
197 terms of the GPLv3 license.
198
200 ansible (1), ansible-config (1), ansible-console (1), ansible-doc [22m(1),
201 ansible-galaxy [22m(1), ansible-inventory (1), ansible-playbook (1), ansi‐
202 ble-pull (1),
203
204 Extensive documentation is available in the documentation site: <‐
205 https://docs.ansible.com>. IRC and mailing list info can be found in
206 file CONTRIBUTING.md, available in: <‐
207 https://github.com/ansible/ansible>
208
209
210
211
212Ansible 2.14.1 ANSIBLE-VAULT(1)