ansible-加密

ansible加密和解密

[devops@master test]$ ansible-vault --help
usage: ansible-vault [-h] [--version] [-v]
                     {create,decrypt,edit,view,encrypt,encrypt_string,rekey} ...

encryption/decryption utility for Ansible data files

positional arguments:
  {create,decrypt,edit,view,encrypt,encrypt_string,rekey}
    create              Create new vault encrypted file  # 创建一个加密文件
    decrypt             Decrypt vault encrypted file  # 解密一个加密文件
    edit                Edit vault encrypted file  # 编写一个加密文件
    view                View vault encrypted file  # 查看一个加密文件
    encrypt             Encrypt YAML file   # 加密一个存在的文件
    encrypt_string      Encrypt a string
    rekey               Re-key a vault encrypted file  # 更改加密密码

optional arguments:
  --version             show program's version number, config file location, configured
                        module search path, module location, executable location and exit
  -h, --help            show this help message and exit
  -v, --verbose         Causes Ansible to print more debug messages. Adding multiple -v will
                        increase the verbosity, the builtin plugins currently evaluate up to
                        -vvvvvv. A reasonable level to start is -vvv, connection debugging
                        might require -vvvv.

See 'ansible-vault <command> --help' for more information on a specific command.

1、基本的加密操作

有直接对yml进行加密
还有就是直接通过文件对yml进行加密，这个方式是最常见的，也是最方便的

1、直接进行加密


# 然后输入密码，编辑文件内容
[devops@master test]$ ansible-vault create 1.yml
New Vault password: 
Confirm New Vault password: 
[devops@master test]$ cat 1.yml 
$ANSIBLE_VAULT;1.1;AES256
39313962396332633237333634613565303635626533356666666630653835343334326164333431
3130373266623862313661646136666235363161616636370a393238323632663538613432666231
66343634633134376334636161623031363635333931666633616632393431336230643864303465
3865343930396466610a656337316532643334343638643461386231346337636437323466313430
6430

2、通过文件进行加密yml

[devops@master test]$ echo 2 > 2.yml
[devops@master test]$ ansible-vault encrypt 2.yml 
New Vault password: 
Confirm New Vault password: 
Encryption successful
[devops@master test]$ cat 2.yml 
$ANSIBLE_VAULT;1.1;AES256
35313331323639653162383135306238656461343065333137396334653564346564363939396636
6332323166333930636134643939666536396333653535660a376436363765393263356135323261
30646133626537313562376664333839323163653162316433383830376265393830363630313764
6365323865613865320a366339313638343335393661363431326464383364646633333763306161
6435

# 使用密码文件对剧本进行加密
[devops@master test]$ echo 123 > p1.txt

[devops@master ansible]$ ansible-vault encrypt test/1.yml  --vault-password-file=./test/p1.txt
Encryption successful

3、查看加密文件内容

[devops@master test]$ ansible-vault view 2.yml 
Vault password: 
2
[devops@master test]$ ansible-vault view 1.yml 
Vault password: 
rere

4、编辑加密文件

输入密码，修改文件内容

[devops@master test]$ ansible-vault edit 1.yml 
Vault password: 

[devops@master test]$ ansible-vault view 1.yml 
Vault password: 
qweqe
rere

5、解密文件

[devops@master test]$ ansible-vault decrypt 1.yml 
Vault password: 
Decryption successful
[devops@master test]$ cat 1.yml 
qweqe
rere

6、更改加密密码

[devops@master test]$ ansible-vault rekey 2.yml 
Vault password:   # 输入原密码
New Vault password:   # 输入新的密码
Confirm New Vault password:   # 确认密码
Rekey successful

2、剧本被加密后的执行方式

1、交互式输入密码运行剧本

对一个剧本进行了加密,在运行剧本的时候，输入加密密码即可

# 创建一个加密的yml文件
[devops@master test]$ ansible-vault create 3.yml
New Vault password: 
Confirm New Vault password: 

# 运行剧本的时候，输入密码即可
[devops@master ansible]$ ansible-playbook test/3.yml --ask-vault-pass
Vault password: 

PLAY [node1] **********************************************************************************

TASK [Gathering Facts] ************************************************************************
ok: [node1]

TASK [debug] **********************************************************************************
ok: [node1] => {
    "msg": "this is mim"
}

PLAY RECAP ************************************************************************************
node1                      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

2、使用密码文件来运行剧本

先用一个密码文件对这个剧本进行加密后
运行剧本的时候，也是用这个密码文件即可运行剧本了，就是能进行解密的操作了

[devops@master ansible]$ ansible-playbook test/1.yml  --vault-password-file=./test/p1.txt

PLAY [node1] **********************************************************************************

TASK [Gathering Facts] ************************************************************************
ok: [node1]

TASK [debug] **********************************************************************************
ok: [node1] => {
    "msg": "this is msg"
}

posted @ 2025-09-28 14:48 乔的港口阅读(18) 评论(0) 收藏举报

刷新页面返回顶部

707c

ansible-加密

ansible加密和解密

1、基本的加密操作

1、直接进行加密

2、通过文件进行加密yml

3、查看加密文件内容

4、编辑加密文件

5、解密文件

6、更改加密密码

2、剧本被加密后的执行方式

1、交互式输入密码运行剧本

2、使用密码文件来运行剧本

公告