{{tag>ansible encryption}}

====== Encrypt content with Ansible Vault ======
This will store the password in system keyring and an ansible script will use that password for encryption/decryption. This assumes ansible was installed with pip:

  pip3 install --user ansible

<WRAP center round important 60%>
Link the python3 executable to python
  sudo ln -s /usr/bin/python3 /usr/bin/python

or install ''python-is-python3'' package
   sudo apt install python-is-python3

otherwise the script won't work.
</WRAP>

===== Create and store password =====

  /home/user/.local/lib/python3.8/site-packages/ansible_collections/community/general/scripts/vault/vault-keyring-client.py --set

Then set your password.

After you should see it in Gnome's Password and Keys program.

===== Encrypt a string =====
  ansible-vault encrypt_string --vault-id ansible@/home/user/.local/lib/python3.8/site-packages/ansible_collections/community/general/scripts/vault/vault-keyring-client.py "woo" --name "my_var"

Output:
<code>
my_var: !vault |
          $ANSIBLE_VAULT;1.2;AES256;ansible
          38376665323730326432343039383138303136616536363034643261643139633037363533366430
          3366303933316634653233353333643831313737376236380a643632313233613136623434656463
          32353764616639353434313936663832396364663562306562396262643935316533333630643866
          3531643764386562350a666464393362623438626462363262353662366263343265386464326165
          3865
Encryption successful
</code>

You can then copy above as variable in a playbook.
===== Example playbook =====
''site.yml''

Example for encrypting hosts "woo" group:
<code yaml>
---
- name: My playbook
  vars:
      my_var: !vault |
          $ANSIBLE_VAULT;1.2;AES256;ansible
          38376665323730326432343039383138303136616536363034643261643139633037363533366430
          3366303933316634653233353333643831313737376236380a643632313233613136623434656463
          32353764616639353434313936663832396364663562306562396262643935316533333630643866
          3531643764386562350a666464393362623438626462363262353662366263343265386464326165
          3865
  hosts: "{{ my_var }}"
  
  tasks:
    - name: Installing python-minimal
      raw: test -e /usr/bin/python || (apt-get -y update && apt-get install -y python-minimal)
      register: result
      changed_when: "result.rc != 0"

    - name: Updating package cache and installing column and aptitude
      apt:
        update_cache: yes
        name: ['bsdmainutils', 'aptitude']
        state: latest
...
</code>

Above will run on hosts in "woo" group.

===== Run playbook with encrypted variable =====
  ansible-playbook --vault-id ansible@/home/user/.local/lib/python3.8/site-packages/ansible_collections/community/general/scripts/vault/vault-keyring-client.py site.yml

====== Tested on ======
  * Ubuntu 20.04.2 LTS
  * ansible [core 2.11.3]
  * python version = 3.8.10

====== See also ======

====== References ======
  * https://stackoverflow.com/questions/3655306/ubuntu-usr-bin-env-python-no-such-file-or-directory/61608129
  * https://docs.ansible.com/ansible/latest/user_guide/vault.html#vault