Encrypted Variables in Ansible

Ansible provides a secure way to store sensitive information by allowing you to encrypt variables. Encrypted variables ensure that sensitive data, such as passwords or API keys, is stored securely and can only be accessed by authorized users. In this tutorial, we will explore how to use encrypted variables in Ansible.

Introduction to Encrypted Variables

Ansible uses the concept of vaults to encrypt sensitive data. The vault is a password-protected file that stores encrypted variable values. When you need to access the values, Ansible prompts you for the vault password. This approach ensures that sensitive data remains secure even if the playbook or configuration files are shared or stored in a version control system.

Let's take a look at an example command for encrypting a variable:

ansible-vault encrypt_string 'password123' --name 'my_password'

In this example, we encrypt the string 'password123' and assign it a variable name 'my_password'.

Using Encrypted Variables in Ansible

Here are the steps to use encrypted variables in Ansible:

1. Create a Vault File

Create a vault file to store your encrypted variables. You can create a new vault file using the ansible-vault create command or convert an existing file into a vault file using the ansible-vault encrypt command.

2. Edit the Vault File

Edit the vault file and add the variables you want to encrypt. Each variable should be in the format variable_name: variable_value. Save the file.

3. Encrypt the Vault File

Encrypt the vault file using the ansible-vault encrypt command. You will be prompted to enter a password to protect the vault.

4. Use the Encrypted Variables

In your playbooks or roles, reference the encrypted variables using the ansible-vault command. For example, to use an encrypted variable named 'my_password', you can include the following syntax:

my_password: !vault | 

The encrypted variable will be decrypted automatically during playbook execution when the correct vault password is provided.

Common Mistakes with Encrypted Variables

  • Forgetting the vault password, leading to the inability to access the encrypted variables.
  • Accidentally committing the vault password or unencrypted vault file to a version control system, compromising the security of the encrypted variables.
  • Not properly managing access to the vault password, allowing unauthorized users to view or modify encrypted variables.
  • Using weak or easily guessable passwords for the vault, reducing the effectiveness of encryption.

FAQs about Encrypted Variables

  1. Q: Can I use encrypted variables with dynamic inventories?

    A: Yes, you can use encrypted variables with dynamic inventories. Make sure to provide the vault password when executing the playbook.

  2. Q: How can I change the vault password?

    A: You can change the vault password using the ansible-vault rekey command. This command prompts you to enter the old password and then set a new password for the vault.

  3. Q: Can I use encrypted variables in group_vars or host_vars?

    A: Yes, encrypted variables can be used in group_vars or host_vars files. Make sure to encrypt the variables using the same vault password used for playbook execution.


Encrypted variables provide a secure way to store and use sensitive information in Ansible. By following the steps outlined in this tutorial, you can encrypt your variables using a vault file and ensure that only authorized users can access the sensitive data. This practice enhances the security of your Ansible playbooks and protects sensitive information from unauthorized access.