mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
3090a45891
The --new-vault-password-file option works the same as --vault-password-file but applies only to rekeying (when --vault-password-file sets the old password). Also update the manpage to document these options more fully.
134 lines
3.9 KiB
Text
134 lines
3.9 KiB
Text
ansible-vault(1)
|
||
================
|
||
:doctype: manpage
|
||
:man source: Ansible
|
||
:man version: %VERSION%
|
||
:man manual: System administration commands
|
||
|
||
NAME
|
||
----
|
||
ansible-vault - manage encrypted YAML data.
|
||
|
||
|
||
SYNOPSIS
|
||
--------
|
||
ansible-vault [create|decrypt|edit|encrypt|rekey] [--help] [options] file_name
|
||
|
||
|
||
DESCRIPTION
|
||
-----------
|
||
|
||
*ansible-vault* can encrypt any structured data file used by Ansible. This can include
|
||
*group_vars/* or *host_vars/* inventory variables, variables loaded by *include_vars* or
|
||
*vars_files*, or variable files passed on the ansible-playbook command line with
|
||
*-e @file.yml* or *-e @file.json*. Role variables and defaults are also included!
|
||
|
||
Because Ansible tasks, handlers, and so on are also data, these can also be encrypted with
|
||
vault. If you’d like to not betray what variables you are even using, you can go as far to
|
||
keep an individual task file entirely encrypted.
|
||
|
||
|
||
COMMON OPTIONS
|
||
--------------
|
||
|
||
The following options are available to all sub-commands:
|
||
|
||
*--vault-password-file=*'FILE'::
|
||
|
||
A file containing the vault password to be used during the encryption/decryption
|
||
steps. Be sure to keep this file secured if it is used. If the file is executable,
|
||
it will be run and its standard output will be used as the password.
|
||
|
||
*--new-vault-password-file=*'FILE'::
|
||
|
||
A file containing the new vault password to be used when rekeying a
|
||
file. Be sure to keep this file secured if it is used. If the file
|
||
is executable, it will be run and its standard output will be used as
|
||
the password.
|
||
|
||
*-h*, *--help*::
|
||
|
||
Show a help message related to the given sub-command.
|
||
|
||
*--debug*::
|
||
|
||
Enable debugging output for troubleshooting.
|
||
|
||
CREATE
|
||
------
|
||
|
||
*$ ansible-vault create [options] FILE*
|
||
|
||
The *create* sub-command is used to initialize a new encrypted file.
|
||
|
||
First you will be prompted for a password. The password used with vault currently
|
||
must be the same for all files you wish to use together at the same time.
|
||
|
||
After providing a password, the tool will launch whatever editor you have defined
|
||
with $EDITOR, and defaults to vim. Once you are done with the editor session, the
|
||
file will be saved as encrypted data.
|
||
|
||
The default cipher is AES (which is shared-secret based).
|
||
|
||
EDIT
|
||
----
|
||
|
||
*$ ansible-vault edit [options] FILE*
|
||
|
||
The *edit* sub-command is used to modify a file which was previously encrypted
|
||
using ansible-vault.
|
||
|
||
This command will decrypt the file to a temporary file and allow you to edit the
|
||
file, saving it back when done and removing the temporary file.
|
||
|
||
REKEY
|
||
-----
|
||
|
||
*$ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]
|
||
|
||
The *rekey* command is used to change the password on a vault-encrypted files.
|
||
This command can update multiple files at once, and will prompt for both the
|
||
old and new passwords before modifying any data.
|
||
|
||
ENCRYPT
|
||
-------
|
||
|
||
*$ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]
|
||
|
||
The *encrypt* sub-command is used to encrypt pre-existing data files. As with the
|
||
*rekey* command, you can specify multiple files in one command.
|
||
|
||
DECRYPT
|
||
-------
|
||
|
||
*$ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]
|
||
|
||
The *decrypt* sub-command is used to remove all encryption from data files. The files
|
||
will be stored as plain-text YAML once again, so be sure that you do not run this
|
||
command on data files with active passwords or other sensitive data. In most cases,
|
||
users will want to use the *edit* sub-command to modify the files securely.
|
||
|
||
|
||
AUTHOR
|
||
------
|
||
|
||
Ansible was originally written by Michael DeHaan. See the AUTHORS file
|
||
for a complete list of contributors.
|
||
|
||
|
||
COPYRIGHT
|
||
---------
|
||
|
||
Copyright © 2014, Michael DeHaan
|
||
|
||
Ansible is released under the terms of the GPLv3 License.
|
||
|
||
|
||
SEE ALSO
|
||
--------
|
||
|
||
*ansible*(1), *ansible-pull*(1), *ansible-doc*(1)
|
||
|
||
Extensive documentation is available in the documentation site:
|
||
<http://docs.ansible.com>. IRC and mailing list info can be found
|
||
in file CONTRIBUTING.md, available in: <https://github.com/ansible/ansible>
|