Getting Started with Ansible Vault : How to Secure Secrets in Your Playbooks

Published On: 17 June 2025

Objective

When working with Ansible to automate infrastructure, one thing becomes very clear: secrets matter. From passwords and API tokens to private keys and connection details, your automation often touches confidential data — and it needs to stay protected.

That’s where Ansible Vault comes in. In this hands-on guide, you’ll learn how to use Ansible Vault to secure sensitive data inside playbooks, variables, and strings. Whether you're a student preparing for RHCE or a professional improving automation security, this approach will show you how to encrypt, decrypt, and safely manage secrets within your Ansible workflow — all without needing external tools or complex setups.

What Is an Ansible Vault ?

Ansible Vault is a built-in feature of Ansible that allows you to encrypt and decrypt sensitive data within your playbooks. This includes passwords, API keys, and other confidential information.

Vault works directly with your YAML files and uses AES256 encryption to keep content secure. You can encrypt:

  • Entire playbooks

  • Specific variable files

  • Individual strings inside variable values

Everything remains encrypted unless someone has the Vault password.

So instead of this (yikes!):

db_password: "SuperSecret123"

You get this (much better):


$ANSIBLE_VAULT;1.1;AES256
62393039613634336539363734653866383961336138353066383334366165356166363130643833
...

Why Should You Use an Ansible Vault?

Whether you're working alone or as part of a team, using Vault helps you:

  • Prevent exposure of secrets in shared or public environments

  • Secure critical credentials used in your tasks and roles

  • Comply with security policies and audit requirements

  • Protect automation workflows in training and real-world deployments

You don't need to upload anything or use external tools. Vault runs locally and gives you full control over what’s visible — and what stays hidden.

Hands-On: How to Use Ansible Vault

You don’t need to be an expert to use Ansible Vault — just a few simple commands.

 Step 1: Create a Vault File

  • To start, use this command:

ansible-vault create secrets.yml

  • You’ll be prompted to set a Vault password, then a text editor will open. You can add secure variables like this:

db_user: admin
db_password: S3cur3P@ssw0rd!

  • Once saved, the file is encrypted. You won’t be able to read it without using Vault.

Step 2:  Encrypt an Existing File

  • If you already have a file with secrets, encrypt it with:

ansible-vault encrypt vars.yml

  • Now the file is protected — only readable with the correct password.

Step 3:  View or Edit Encrypted Files

  • To safely edit an encrypted file:

ansible-vault edit secrets.yml

  • To view its contents without editing:

ansible-vault view secrets.yml

  • And if needed, to decrypt it back to plaintext:

ansible-vault decrypt secrets.yml

Use this carefully, especially in shared systems or labs. Decrypted files should be cleaned up afterward.

Step 4:  Run Encrypted Playbooks

  • You can use encrypted variables in your playbooks like this:


- name: Configure database
  hosts: db
  vars_files:
    - secrets.yml
  tasks:
    - name: Print DB user
      debug:
        msg: "The DB user is {{db_user }}"

  • To run the playbook with encrypted variables:

ansible-playbook db-setup.yml --ask-vault-pass

  • Or use a secure password file (if you're in a trusted environment):

ansible-playbook db-setup.yml --vault-password-file ~/.vault_pass.txt

Tip: Always make sure your password file is protected with strict permissions:

chmod 600 ~/.vault_pass.txt

 Step 5 : Modify and Manage Secrets (Optional)

  • Need to rotate your secrets? You can rekey an encrypted file:

ansible-vault rekey secrets.yml

  • This changes the Vault password used to encrypt the file — ideal for periodic security updates or when sharing access with others during a lab session.

Real-World Use Cases

Wondering where Vault fits in your stack? Here are a few everyday examples:

Use Case

Vault Helps You...

Database Configs

Encrypt db_user and db_password

Cloud API Keys

Secure AWS, Azure, GCP credentials

SSL/TLS Certificates

Store private keys and certs safely

CI/CD Pipelines

Hide deployment tokens or secrets

Role-Based Secrets Access

Control who can view/edit sensitive variables

 

Practice Makes Perfect: RHCSAGuru’s RHCE Labs

Learning how to use Ansible Vault is best done through hands-on experience.

RHCSAGuru offers RHCE training labs that include Ansible Vault, simulating real-world use cases like:

  • Creating encrypted files

  • Running playbooks with secured variables

  • Managing Vault passwords during playbook execution

  • Modifying and rotating secrets securely

These labs are designed for real-world simulation — not just theory. You’ll build confidence in securing playbooks while working through tasks that match RHCE certification topics.

Vault Best Practices for Lab and Production

Here are some tips to keep in mind, whether you're training or working in production:

  • Encrypt only what's necessary – avoid overcomplicating things.

  • Store Vault passwords securely

  • Clean up plaintext files after decryption or temporary access.

  • Rotate secrets regularly using rekey.

  • Limit access to encrypted files based on task requirements.

Conclusion

Ansible Vault gives you a simple but powerful way to protect sensitive data. Whether you're automating servers, preparing for RHCE, or working through training labs, securing your secrets is non-negotiable. It’s built into Ansible. It’s fast. And it’s easy to learn. Once you understand how to encrypt, manage, and run secure playbooks, you'll be one step closer to becoming a confident, security-minded automation engineer.