问题
I really love using ansible-vault on the command-line to encrypt/decrypt files easily. For example if I have a plaintext file called ~/fizzbuzz.foo with the following contents:
bupo
I can use this tool like so:
ansible-vault encrypt ~/fizzbuzz.foo
New Vault password: 123
Confirm New Vault password: 123
Boom -- encrypted! When I vi ~/fizzbuzz.foo now:
$ANSIBLE_VAULT;1.1;AES256
36663138613666623730653164333138343133383233313562363733346461663334393932393461
6535316532366130316237633633663565663366323162660a666630613738363035343663353132
33383530653235393431633231313765656135626538353163323366363039633836613265383332
3762666261326466370a643164393166346634343636346634383039356665646531353062303765
3734
I'd like to use this in a bash script where I pass the encryption/decryption password in as a script argument:
#!/bin/bash
# do some stuff
ansible-vault -i "bar" encrypt ~/fizzbuzz.foo
# do some more stuff
However I don't see anything like an interactive (e.g. -i) argument/mode for ansible-vault. The best I could find was a way of using an env file for storing passwords for the ansible-playbook utility but I played around with ansible-vault and couldn't find a similar behavior for it.
Any ideas?
回答1:
you need to create the vault password file first, here is how:
openssl rand -base64 512 |xargs > vaultkeyfile
i am creating the vault file at local directory, but probably you want to place it to another one, like ~/.ansible_vault/ for example.
then to create/encrypt/decrypt the file, you use:
for new file:
ansible-vault create testfile.txt --vault-password-file=vaultkeyfile
for encrypting existing file:
ansible-vault encrypt testfile.txt --vault-password-file=vaultkeyfile
for decrypting:
ansible-vault decrypt testfile.txt --vault-password-file=vaultkeyfile
when executing the above, you will notice it doesn't ask for password.
来源:https://stackoverflow.com/questions/49743856/using-ansible-vault-in-interactive-mode-via-bash-script