Ansible - 加密解密

---

ansible-vault

用途

• encryption/decryption utility for Ansible data files
• 主要應用於包含敏感信息的場景，可以加密和解密敏感信息
• See 'ansible-vault --help' for more information on a specific command.

# ansible-vault -h
usage: ansible-vault [-h] [--version] [-v]
                     {create,decrypt,edit,view,encrypt,encrypt_string,rekey}
                     ...

encryption/decryption utility for Ansible data files

positional arguments:
  {create,decrypt,edit,view,encrypt,encrypt_string,rekey}
    create              Create new vault encrypted file
    decrypt             Decrypt vault encrypted file
    edit                Edit vault encrypted file
    view                View vault encrypted file
    encrypt             Encrypt YAML file
    encrypt_string      Encrypt a string
    rekey               Re-key a vault encrypted file

optional arguments:
  --version             show program's version number, config file location, configured module search path, module location, executable location and exit
  -h, --help            show this help message and exit
  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable connection debugging)

See 'ansible-vault <command> --help' for more information on a specific command.

常用命令

# 加密文件
ansible-vault encrypt test-vault.yml
ansible-vault encrypt test-vault.yml --vault-password-file pwdfile

# 解密文件
ansible-vault decrypt test-vault.yml 
ansible-vault decrypt test-vault.yml --vault-password-file pwdfile

# 查看文件
ansible-vault view test-vault.yml
ansible-vault view test-vault.yml --vault-password-file pwdfile

# 重置文件密碼
ansible-vault rekey test-vault.yml
ansible-vault rekey test-vault.yml --vault-password-file pwdfile --new-vault-password-file pwdfilenew

# 創建加密文件
ansible-vault create test-vault.yml
ansible-vault create test-vault.yml --vault-password-file pwdfile

# 編輯加密文件
ansible-vault edit test-vault.yml
ansible-vault edit test-vault.yml --vault-password-file pwdfile

# 加密字符串
ansible-vault encrypt_string 'test123456'
ansible-vault encrypt_string 'test123456' --name 'ansible_ssh_pass'
ansible-vault encrypt_string 'test123456' --name 'ansible_ssh_pass' --vault-id anliven@pwdfile

"--vault-id"選項

# 從ansible2.4版本開始，官方推薦使用"--vault-id"選項代替"--vault-password-file"選項指定密碼文件
# “--vault-id prompt”功能上等同於"--ask-vault-pass"選項
# 支持同時使用多個密碼文件進行解密，適用於“引用其他文件”的場景
# 可以在被加密文件中包含特定字符“做記號”

ansible-vault encrypt_string 'test123456' --name 'ansible_ssh_pass' --vault-id pwdfile  # 加密字符串

ansible-vault encrypt test-vault.yml --vault-id pwdfile  # 加密文件
ansible-vault encrypt test-vault.yml --vault-id anliven@pwdfile  # 加密完成後的文件內容包含anliven字符

ansible-vault decrypt test-vault.yml --vault-id pwdfile  # 解密文件
ansible-vault view test-vault.yml --vault-id pwdfile  # 查看文件
ansible-vault edit test-vault.yml --vault-id pwdfile  # 編輯文件

ansible-vault rekey test-vault.yml --vault-id pwdfile  # 交互式密碼重置
ansible-vault rekey test-vault.yml --vault-id pwdfile  --new-vault-id pwdfilenew  # 通過新密碼文件重置

ansible-playbook test-vault.yml --vault-id pwdfile  # 運行playbook
ansible-playbook test-vault.yml --vault-id pwdfile1 --vault-id pwdfile2   # 提供多個密碼文件來解密，test-vault.yml中引用其他vault加密文件
ansible-playbook test-vault1.yml test-vault2.yml --vault-id pwdfile1 --vault-id pwdfile2  # 提供多個加密文件來解密多個文件

示例

示例-1 交互式密碼

[root@test01 ansible-test]# cat test-vault.yml 
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook test-vault.yml

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test ansible-vault"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault encrypt test-vault.yml 
New Vault password: 
Confirm New Vault password: 
Encryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-vault.yml 
$ANSIBLE_VAULT;1.1;AES256
32656239643632646139633938613430326139636636333235346361643161393131396661366534
6636386331316239616632316137316266316266646432360a366366643232313033343835346638
38616331636639643731633766333335613763623636333363336238353931616263313637313834
3135656632343034340a316238656238336432386638373236653738306530383232626231333438
38666338346130333561316535353637616230633634346162303730393166396230616533396435
38346536306433653566373438303565373036663138366330313836356666656639393438396134
35333465623365636531653562363366323065316238333333353863376236373362373832633636
62613732666263306531653231353931326635303533623934633235396239613838613230323862
3134
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault view test-vault.yml 
Vault password: 
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook --ask-vault-pass test-vault.yml 
Vault password: 

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test ansible-vault"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault decrypt test-vault.yml 
Vault password: 
Decryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-vault.yml 
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 

示例-2 密碼文件

[root@test01 ansible-test]# echo "This-is_a#Test!2o22" > pwdfile
echo "This-is_a#Testhistoryo22" > pwdfile
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat pwdfile 
This-is_a#Testhistoryo22
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault encrypt test-vault.yml --vault-password-file pwdfile
Encryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-vault.yml 
$ANSIBLE_VAULT;1.1;AES256
63343030376661643237653266366133313735363630353564363631376563613236383863346264
6163303562643831636237633038373265616334343234630a613466663138396334303463623665
30353632396236306435633062383864646466616261393064313633373635353633656161393266
3234326635323438610a376631323634316663313130356466306238306638613261663138333663
30363461616433643530656562313139303831346365346531303530666236373038306435636338
39666432326465313834613164356436653366656138613634303339346130353033313330303733
30643934383363333261646366396330343164393236633138383137316166643966393838396464
64323863306539333534663938393962326231373137613630623635313534356163363261626262
3765
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault view  test-vault.yml --vault-password-file pwdfile
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook test-vault.yml --vault-password-file pwdfile

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test ansible-vault"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault decrypt test-vault.yml --vault-password-file pwdfile
Decryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-vault.yml 
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 

示例-3 加密字符串

[root@test01 ansible-test]# ansible-vault encrypt_string "test123456"
New Vault password: 
Confirm New Vault password: 
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          33383336353737346430653165326665393430346539376334396335336530613330643764313962
          3438366538366262316666353962663564666532393333300a333934633664393262653065343864
          63653361666133363862353061323238376335666165313130393664623761393033343136343265
          6166663630353038380a666164643565343336373062323135643038363436343938383363303632
          6230
Encryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# vim test-encrypt_string.yaml 
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-encrypt_string.yaml 
- hosts: ta
  gather_facts: no
  vars:
    test_user: "testuser"
    test_passwd: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          33383336353737346430653165326665393430346539376334396335336530613330643764313962
          3438366538366262316666353962663564666532393333300a333934633664393262653065343864
          63653361666133363862353061323238376335666165313130393664623761393033343136343265
          6166663630353038380a666164643565343336373062323135643038363436343938383363303632
          6230
  tasks:
  - debug:
      msg: "{{test_user}}"
  - debug:
      msg: "{{test_passwd}}"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook test-encrypt_string.yaml --ask-vault-pass
Vault password: 

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "testuser"
}

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test123456"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 

示例-4 通過密碼文件加密字符串

[root@test01 ansible-test]# ansible-vault encrypt_string "test123456" --name "test_passwd" --vault-id anliven@pwdfile
test_passwd: !vault |
          $ANSIBLE_VAULT;1.2;AES256;anliven
          61646130623833333634646632393432326431383864663134356530323536663165303061313661
          3365343837623564343037663236316635666565613730350a393731646238376638363365363561
          35383465336137313134306363363139386537633839393363653465333161303634313832383136
          3038326464613935350a383565343261363833333631663862336464303538323561363237326637
          3431
Encryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# vim test-encrypt_string.yaml
[root@test01 ansible-test]# cat test-encrypt_string.yaml
- hosts: ta
  gather_facts: no
  vars:
    test_user: "testuser"
    test_passwd: !vault |
          $ANSIBLE_VAULT;1.2;AES256;anliven
          61646130623833333634646632393432326431383864663134356530323536663165303061313661
          3365343837623564343037663236316635666565613730350a393731646238376638363365363561
          35383465336137313134306363363139386537633839393363653465333161303634313832383136
          3038326464613935350a383565343261363833333631663862336464303538323561363237326637
          3431
  tasks:
  - debug:
      msg: "{{test_user}}"
  - debug:
      msg: "{{test_passwd}}"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook test-encrypt_string.yaml --vault-id pwdfile

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "testuser"
}

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test123456"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 

---