Keep passwords, keys, and tokens encrypted at rest with Ansible Vault — encrypt whole files or single values, edit them safely, and decrypt only at run time.
Why: playbooks and variable files live in git, so secrets cannot sit in them as plaintext. Ansible Vault encrypts sensitive content with a password; the encrypted file is safe to commit, and Ansible decrypts it in memory only while running. It is the built-in answer to "where do the secrets go?"
secrets.yml (plaintext) ──ansible-vault encrypt──▶ secrets.yml (AES-encrypted)
safe to commit to git
ansible-playbook --ask-vault-pass ──decrypts in memory at run time──▶ usedWhy: you can encrypt an existing vars file or create one. encrypt converts a file in place; create makes a new encrypted one; edit opens it in your editor, decrypting and re-encrypting transparently; view prints it. All prompt for the vault password (or read it from a password file).
Encrypt an existing variables file
ansible-vault encrypt group_vars/prod/secrets.ymlCreate or edit an encrypted file (opens your editor)
ansible-vault create secrets.ymlansible-vault edit secrets.ymlView without editing
ansible-vault view secrets.ymlWhy: encrypting a whole file hides which variables exist. encrypt_string encrypts just one value, which you paste straight into a normal (readable) vars file. You see the variable names in plaintext but the sensitive values stay encrypted — the best of both.
Produce an encrypted value to paste into a vars file
ansible-vault encrypt_string 's3cr3t-password' --name 'db_password'Why: at run time Ansible needs the vault password to decrypt. --ask-vault-pass prompts for it; --vault-password-file reads it from a file (kept out of git) — the usual choice in CI. The encrypted variables are then available to tasks like any other.
Prompt for the vault password
ansible-playbook site.yml -i inventory.ini --ask-vault-passRead it from a file (good for CI; never commit this file)
ansible-playbook site.yml -i inventory.ini --vault-password-file ~/.vault_pass