Ansible - 6 - 加密解密


Ansilbe 加密解密

ansible-vault 用途

  • encryption/decryption utility for Ansible data files
  • 主要应用于包含敏感信息的场景,可以加密和解密敏感信息
  • See 'ansible-vault --help' for more information on a specific command.
# ansible-vault -h
usage: ansible-vault [-h] [--version] [-v]
                     {create,decrypt,edit,view,encrypt,encrypt_string,rekey}
                     ...

encryption/decryption utility for Ansible data files

positional arguments:
  {create,decrypt,edit,view,encrypt,encrypt_string,rekey}
    create              Create new vault encrypted file
    decrypt             Decrypt vault encrypted file
    edit                Edit vault encrypted file
    view                View vault encrypted file
    encrypt             Encrypt YAML file
    encrypt_string      Encrypt a string
    rekey               Re-key a vault encrypted file

optional arguments:
  --version             show program's version number, config file location, configured module search path, module location, executable location and exit
  -h, --help            show this help message and exit
  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable connection debugging)

See 'ansible-vault <command> --help' for more information on a specific command.

ansible-vault 常用命令

# 加密文件
ansible-vault encrypt test-vault.yml
ansible-vault encrypt test-vault.yml --vault-password-file pwdfile

# 解密文件
ansible-vault decrypt test-vault.yml 
ansible-vault decrypt test-vault.yml --vault-password-file pwdfile

# 查看文件
ansible-vault view test-vault.yml
ansible-vault view test-vault.yml --vault-password-file pwdfile

# 重置文件密码
ansible-vault rekey test-vault.yml
ansible-vault rekey test-vault.yml --vault-password-file pwdfile --new-vault-password-file pwdfilenew

# 创建加密文件
ansible-vault create test-vault.yml
ansible-vault create test-vault.yml --vault-password-file pwdfile

# 编辑加密文件
ansible-vault edit test-vault.yml
ansible-vault edit test-vault.yml --vault-password-file pwdfile

# 加密字符串
ansible-vault encrypt_string 'test123456'
ansible-vault encrypt_string 'test123456' --name 'ansible_ssh_pass'
ansible-vault encrypt_string 'test123456' --name 'ansible_ssh_pass' --vault-id anliven@pwdfile

ansible-vault "--vault-id"选项

# 从ansible2.4版本开始,官方推荐使用"--vault-id"选项代替"--vault-password-file"选项指定密码文件
# “--vault-id prompt”功能上等同于"--ask-vault-pass"选项
# 支持同时使用多个密码文件进行解密,适用于“引用其他文件”的场景
# 可以在被加密文件中包含特定字符“做记号”

ansible-vault encrypt_string 'test123456' --name 'ansible_ssh_pass' --vault-id pwdfile  # 加密字符串

ansible-vault encrypt test-vault.yml --vault-id pwdfile  # 加密文件
ansible-vault encrypt test-vault.yml --vault-id anliven@pwdfile  # 加密完成后的文件内容包含anliven字符

ansible-vault decrypt test-vault.yml --vault-id pwdfile  # 解密文件
ansible-vault view test-vault.yml --vault-id pwdfile  # 查看文件
ansible-vault edit test-vault.yml --vault-id pwdfile  # 编辑文件

ansible-vault rekey test-vault.yml --vault-id pwdfile  # 交互式密码重置
ansible-vault rekey test-vault.yml --vault-id pwdfile  --new-vault-id pwdfilenew  # 通过新密码文件重置

ansible-playbook test-vault.yml --vault-id pwdfile  # 运行playbook
ansible-playbook test-vault.yml --vault-id pwdfile1 --vault-id pwdfile2   # 提供多个密码文件来解密,test-vault.yml中引用其他vault加密文件
ansible-playbook test-vault1.yml test-vault2.yml --vault-id pwdfile1 --vault-id pwdfile2  # 提供多个加密文件来解密多个文件

ansible-vault 示例

示例-1 交互式密码

[root@test01 ansible-test]# cat test-vault.yml 
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook test-vault.yml

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test ansible-vault"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault encrypt test-vault.yml 
New Vault password: 
Confirm New Vault password: 
Encryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-vault.yml 
$ANSIBLE_VAULT;1.1;AES256
32656239643632646139633938613430326139636636333235346361643161393131396661366534
6636386331316239616632316137316266316266646432360a366366643232313033343835346638
38616331636639643731633766333335613763623636333363336238353931616263313637313834
3135656632343034340a316238656238336432386638373236653738306530383232626231333438
38666338346130333561316535353637616230633634346162303730393166396230616533396435
38346536306433653566373438303565373036663138366330313836356666656639393438396134
35333465623365636531653562363366323065316238333333353863376236373362373832633636
62613732666263306531653231353931326635303533623934633235396239613838613230323862
3134
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault view test-vault.yml 
Vault password: 
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook --ask-vault-pass test-vault.yml 
Vault password: 

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test ansible-vault"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault decrypt test-vault.yml 
Vault password: 
Decryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-vault.yml 
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 

示例-2 密码文件

[root@test01 ansible-test]# echo "This-is_a#Test!2o22" > pwdfile
echo "This-is_a#Testhistoryo22" > pwdfile
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat pwdfile 
This-is_a#Testhistoryo22
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault encrypt test-vault.yml --vault-password-file pwdfile
Encryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-vault.yml 
$ANSIBLE_VAULT;1.1;AES256
63343030376661643237653266366133313735363630353564363631376563613236383863346264
6163303562643831636237633038373265616334343234630a613466663138396334303463623665
30353632396236306435633062383864646466616261393064313633373635353633656161393266
3234326635323438610a376631323634316663313130356466306238306638613261663138333663
30363461616433643530656562313139303831346365346531303530666236373038306435636338
39666432326465313834613164356436653366656138613634303339346130353033313330303733
30643934383363333261646366396330343164393236633138383137316166643966393838396464
64323863306539333534663938393962326231373137613630623635313534356163363261626262
3765
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault view  test-vault.yml --vault-password-file pwdfile
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook test-vault.yml --vault-password-file pwdfile

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test ansible-vault"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-vault decrypt test-vault.yml --vault-password-file pwdfile
Decryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-vault.yml 
- hosts: ta
  gather_facts: no
  tasks:
  - debug:
      msg: "test ansible-vault"
[root@test01 ansible-test]# 

示例-3 加密字符串

[root@test01 ansible-test]# ansible-vault encrypt_string "test123456"
New Vault password: 
Confirm New Vault password: 
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          33383336353737346430653165326665393430346539376334396335336530613330643764313962
          3438366538366262316666353962663564666532393333300a333934633664393262653065343864
          63653361666133363862353061323238376335666165313130393664623761393033343136343265
          6166663630353038380a666164643565343336373062323135643038363436343938383363303632
          6230
Encryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# vim test-encrypt_string.yaml 
[root@test01 ansible-test]# 
[root@test01 ansible-test]# cat test-encrypt_string.yaml 
- hosts: ta
  gather_facts: no
  vars:
    test_user: "testuser"
    test_passwd: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          33383336353737346430653165326665393430346539376334396335336530613330643764313962
          3438366538366262316666353962663564666532393333300a333934633664393262653065343864
          63653361666133363862353061323238376335666165313130393664623761393033343136343265
          6166663630353038380a666164643565343336373062323135643038363436343938383363303632
          6230
  tasks:
  - debug:
      msg: "{{test_user}}"
  - debug:
      msg: "{{test_passwd}}"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook test-encrypt_string.yaml --ask-vault-pass
Vault password: 

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "testuser"
}

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test123456"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 

示例-4 通过密码文件加密字符串

[root@test01 ansible-test]# ansible-vault encrypt_string "test123456" --name "test_passwd" --vault-id anliven@pwdfile
test_passwd: !vault |
          $ANSIBLE_VAULT;1.2;AES256;anliven
          61646130623833333634646632393432326431383864663134356530323536663165303061313661
          3365343837623564343037663236316635666565613730350a393731646238376638363365363561
          35383465336137313134306363363139386537633839393363653465333161303634313832383136
          3038326464613935350a383565343261363833333631663862336464303538323561363237326637
          3431
Encryption successful
[root@test01 ansible-test]# 
[root@test01 ansible-test]# vim test-encrypt_string.yaml
[root@test01 ansible-test]# cat test-encrypt_string.yaml
- hosts: ta
  gather_facts: no
  vars:
    test_user: "testuser"
    test_passwd: !vault |
          $ANSIBLE_VAULT;1.2;AES256;anliven
          61646130623833333634646632393432326431383864663134356530323536663165303061313661
          3365343837623564343037663236316635666565613730350a393731646238376638363365363561
          35383465336137313134306363363139386537633839393363653465333161303634313832383136
          3038326464613935350a383565343261363833333631663862336464303538323561363237326637
          3431
  tasks:
  - debug:
      msg: "{{test_user}}"
  - debug:
      msg: "{{test_passwd}}"
[root@test01 ansible-test]# 
[root@test01 ansible-test]# ansible-playbook test-encrypt_string.yaml --vault-id pwdfile

PLAY [ta] *********************************************************************************************************************************************************************************************

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "testuser"
}

TASK [debug] ******************************************************************************************************************************************************************************************
ok: [172.20.8.247] => {
    "msg": "test123456"
}

PLAY RECAP ********************************************************************************************************************************************************************************************
172.20.8.247               : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

[root@test01 ansible-test]# 

全文跳转链接

Ansible系列全文地址https://www.cnblogs.com/anliven/p/16859401.html


posted @ 2022-11-04 22:25  Anliven  阅读(201)  评论(0编辑  收藏  举报