ansible-vault(1)

1ANSIBLE-VAULT(1)        System administration commands        ANSIBLE-VAULT(1)
2
3
4

NAME

6       ansible-vault - encryption/decryption utility for Ansible data files
7

SYNOPSIS

9       usage: ansible-vault [-h] [--version] [-v]
10              {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ...
11

DESCRIPTION

13       can encrypt any structured data file used by Ansible.  This can include
14       group_vars/ or host_vars/ inventory variables, variables loaded by  in‐
15       clude_vars or vars_files, or variable files passed on the ansible-play‐
16       book command line with -e @file.yml or -e @file.json.   Role  variables
17       and defaults are also included!
18
19       Because  Ansible tasks, handlers, and other objects are data, these can
20       also be encrypted with vault.  If you'd like to not expose  what  vari‐
21       ables  you are using, you can keep an individual task file entirely en‐
22       crypted.
23

COMMON OPTIONS

25       --version
26          show program's version number, config file location, configured mod‐
27          ule search path, module location, executable location and exit
28
29       -h, --help
30          show this help message and exit
31
32       -v, --verbose
33          Causes Ansible to print more debug messages. Adding multiple -v will
34          increase the verbosity, the builtin plugins currently evaluate up to
35          -vvvvvv.  A  reasonable level to start is -vvv, connection debugging
36          might require -vvvv. This argument may be specified multiple times.
37

ACTIONS

39       create create and open a file in an editor that will be encrypted  with
40              the provided vault secret when closed
41
42              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
43                 the  vault  id  used  to  encrypt  (required if more than one
44                 vault-id is provided)
45
46              --skip-tty-check
47                 allows editor to be opened when no tty attached
48
49              --vault-id
50                 the vault identity to use. This  argument  may  be  specified
51                 multiple times.
52
53              --vault-password-file,   --vault-pass-file
54                 vault password file
55
56              -J,   --ask-vault-password,   --ask-vault-pass
57                 ask for vault password
58
59       decrypt
60              decrypt the supplied file using the provided vault secret
61
62              --output 'OUTPUT_FILE'
63                 output file name for encrypt or decrypt; use - for stdout
64
65              --vault-id
66                 the  vault  identity  to  use. This argument may be specified
67                 multiple times.
68
69              --vault-password-file,   --vault-pass-file
70                 vault password file
71
72              -J,   --ask-vault-password,   --ask-vault-pass
73                 ask for vault password
74
75       edit   open and decrypt an existing vaulted file  in  an  editor,  that
76              will be encrypted again when closed
77
78              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
79                 the  vault  id  used  to  encrypt  (required if more than one
80                 vault-id is provided)
81
82              --vault-id
83                 the vault identity to use. This  argument  may  be  specified
84                 multiple times.
85
86              --vault-password-file,   --vault-pass-file
87                 vault password file
88
89              -J,   --ask-vault-password,   --ask-vault-pass
90                 ask for vault password
91
92       view   open,  decrypt  and  view an existing vaulted file using a pager
93              using the supplied vault secret
94
95              --vault-id
96                 the vault identity to use. This  argument  may  be  specified
97                 multiple times.
98
99              --vault-password-file,   --vault-pass-file
100                 vault password file
101
102              -J,   --ask-vault-password,   --ask-vault-pass
103                 ask for vault password
104
105       encrypt
106              encrypt the supplied file using the provided vault secret
107
108              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
109                 the  vault  id  used  to  encrypt  (required if more than one
110                 vault-id is provided)
111
112              --output 'OUTPUT_FILE'
113                 output file name for encrypt or decrypt; use - for stdout
114
115              --vault-id
116                 the vault identity to use. This  argument  may  be  specified
117                 multiple times.
118
119              --vault-password-file,   --vault-pass-file
120                 vault password file
121
122              -J,   --ask-vault-password,   --ask-vault-pass
123                 ask for vault password
124
125       encrypt_string
126              encrypt the supplied string using the provided vault secret
127
128              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
129                 the  vault  id  used  to  encrypt  (required if more than one
130                 vault-id is provided)
131
132              --output 'OUTPUT_FILE'
133                 output file name for encrypt or decrypt; use - for stdout
134
135              --show-input
136                 Do not hide input when prompted for the string to encrypt
137
138              --stdin-name 'ENCRYPT_STRING_STDIN_NAME'
139                 Specify the variable name for stdin
140
141              --vault-id
142                 the vault identity to use. This  argument  may  be  specified
143                 multiple times.
144
145              --vault-password-file,   --vault-pass-file
146                 vault password file
147
148              -J,   --ask-vault-password,   --ask-vault-pass
149                 ask for vault password
150
151              -n,   --name
152                 Specify  the  variable  name.  This argument may be specified
153                 multiple times.
154
155              -p,   --prompt
156                 Prompt for the string to encrypt
157
158       rekey  re-encrypt a vaulted file with a new secret, the previous secret
159              is required
160
161              --encrypt-vault-id 'ENCRYPT_VAULT_ID'
162                 the  vault  id  used  to  encrypt  (required if more than one
163                 vault-id is provided)
164
165              --new-vault-id 'NEW_VAULT_ID'
166                 the new vault identity to use for rekey
167
168              --new-vault-password-file 'NEW_VAULT_PASSWORD_FILE'
169                 new vault password file for rekey
170
171              --vault-id
172                 the vault identity to use. This  argument  may  be  specified
173                 multiple times.
174
175              --vault-password-file,   --vault-pass-file
176                 vault password file
177
178              -J,   --ask-vault-password,   --ask-vault-pass
179                 ask for vault password
180

ENVIRONMENT

182       The following environment variables may be specified.
183
184       ANSIBLE_CONFIG -- Specify override location for the ansible config file
185
186       Many more are available for most options in ansible.cfg
187
188       For  a  full  list  check  https://docs.ansible.com/.  or use the ansi‐
189       ble-config command.
190

FILES

192       /etc/ansible/ansible.cfg -- Config file, used if present
193
194       ~/.ansible.cfg -- User config file, overrides  the  default  config  if
195       present
196
197       ./ansible.cfg  --  Local config file (in current working directory) as‐
198       sumed to be 'project specific' and overrides the rest if present.
199
200       As mentioned above, the ANSIBLE_CONFIG environment variable will  over‐
201       ride all others.
202

AUTHOR

204       Ansible was originally written by Michael DeHaan.
205

COPYRIGHT

207       Copyright © 2018 Red Hat, Inc | Ansible.  Ansible is released under the
208       terms of the GPLv3 license.
209