First, the experimental background
As we all know, ansible is an automated deployment tool is the fire, in the ansible control node, the storage of the current configuration information for all services of environmental services, which naturally also includes some sensitive information, such as plain text passwords, IP addresses, and so on.
From a security point of view, these files should be no sensitive data in clear text. At this point it used the ansible encryption features.
ansible command line "ansible-vault" to your target file / string encryption. PlayBook when executed, to give the corresponding destination file specified by the decryption parameters to achieve ansible vault functions.
ansible can encrypt any file data related to deployment, such as:
Host / set of variables and all variables file
tasks, hanlders and all the playbook file
Command line imported files (eg: -e @ file.yaml, -e @ file.json)
copy, template module parameters used in the file src, and even binary files.
playbook in a string parameter may be used to encrypt (Ansible> = 2.3)
Second, view the command and help the man page
# yum -y install epel-release
# yum -y install ansbile
# ansible-vault --help
# man ansible-vault > ansible-vault.md
Third, the general use
Prepare a written document expressly
# echo "123456" > /path/to/passwd.txt
Read the encrypted password file hosts or yml
# ansible-vault encrypt --vault-password-file /path/to/passwd.txt /path/to/hosts
# ansible-vault encrypt --vault-password-file /path/to/passwd.txt /path/to/install_X.yml
Read clear text passwords, decrypt files
# ansible-vault decrypt --vault-password-file /path/to/passwd.txt /path/to/hosts
# ansible-vault decrypt --vault-password-file /path/to/passwd.txt /path/to/install_X.yml
If do not want to decrypt execution, before the installation can command, read the password file, the installation file to decrypt
# ansible-playbook -vault-password-file /path/to/passwd.txt /path/to/hosts install_X.yml
Note: Use a playbook can only handle plain text password file correctly after the completion of a plaintext passwords encrypted with the same installation
Fourth, the reference
Ansible Vault
https://docs.ansible.com/ansible/latest/user_guide/vault.html
Ansible-vault doesn't work with --vault-password-file
https://stackoverflow.com/questions/42109626/ansible-vault-doesnt-work-with-vault-password-file
Data encrypted using ansible-vault
https://www.colabug.com/5801314.html
ansible-vault encrypt and decrypt files
https://www.cnblogs.com/nb-blog/p/10614946.html
Zhu Shuang-yin ansible-vault
http://www.zsythink.net/archives/3250
ansible basis: Encryption
https://mp.weixin.qq.com/s?__biz=MzUzMDc0MjgwNg%3D%3D&idx=1&mid=2247483753&sn=720a3aa215e6335657f7ff01c8f00b00
https://www.cnblogs.com/mauricewei/p/10056476.html
Docs » User Guide » Working With Playbooks » Best Practices
https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html
Ansible: How to encrypt some variables in an inventory file in a separate vault file?
https://stackoverflow.com/questions/30209062/ansible-how-to-encrypt-some-variables-in-an-inventory-file-in-a-separate-vault
How do I generate encrypted passwords for the user module?
https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module
Ansible add user, password encryption
https://www.zhukun.net/archives/8108
passlib.hash.sha512_crypt - SHA-512 Crypt
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.sha512_crypt.html
Creating a new user and password with Ansible
https://stackoverflow.com/questions/19292899/creating-a-new-user-and-password-with-ansible
Solution not take effect after ansible-playbook java environment variable settings
https://blog.csdn.net/yushi6310/article/details/78683123
Environment variable on ansible remote execution (login shell & nonlogin shelll)
https://blog.csdn.net/u010871982/article/details/78525367