Global Outreach Solutions company logo — ERP, VoIP, and custom software development in PakistanGlobal Outreach
DevOps Tutorials·25 min read

Secure Sensitive Data with Ansible Vault

Contributors: Justin Ellingwood and Manikandan Kurup Learn what it means for software, security, and business technology teams.

  • Security
  • Configuration-management
  • Ansible
  • Ubuntu
  • Devops Tutorials
  • Secure
  • Sensitive
  • Data

By Global Outreach

Illustrated cover image for the DevOps Tutorials article "Secure Sensitive Data with Ansible Vault" on Global Outreach Solutions blog
  • Blog
  • Docs
  • Careers
  • Get Support
  • Contact Sales
  • Products Featured AI Products Compute Build, deploy, and scale cloud compute resources Containers and Images Safely store and manage containers and backups Managed Databases Fully managed resources running popular database engines Management and Dev Tools Control infrastructure and gather insights Networking Secure and control traffic to apps Security Help protect your account and resources with these security features Storage Store and access any amount of data reliably in the cloud Browse all products
  • Solutions AI/ML CMS Data and IoT Developer Tools Gaming and Media Hosting Security and Networking Startups and SMBs Web and App Platforms See all solutions
  • Developers Community Documentation Developer Tools Get Involved Utilities and Help
  • Partners Become a Partner Marketplace
  • Pricing
  • Log in Log in to:
  • Community
  • DigitalOcean
  • Sign up for:
  • Community
  • DigitalOcean
  • Log in Log in to:
  • Community
  • DigitalOcean
  • Sign up for:
  • Community
  • DigitalOcean
  • Tutorials
  • Questions
  • Product Docs
  • Search Community

Contents Overview

Contributors: Justin Ellingwood and Manikandan Kurup

Ansible Vault is a tool for encrypting sensitive data in Ansible projects, safeguarding information like passwords and API keys. It automatically decrypts this data at runtime when the correct password is provided.

In this tutorial, you will discover the workings of Ansible Vault, methods to encrypt files and variables, ways to provide passwords, and management of multiple vault passwords. The guide is applicable on any Linux distribution with Ansible installed, with tests conducted on Ubuntu.

  • Ansible Vault encrypts secrets at rest so you can keep sensitive and nonsensitive configuration data together in one project without exposing the secrets.
  • You can encrypt an entire file with ansible-vault encrypt , or encrypt a single value inline with ansible-vault encrypt_string , which is friendlier for shared repositories.
  • The ansible and ansible-playbook commands decrypt vault content automatically when given the password through --ask-vault-pass , a --vault-password-file , or the ANSIBLE_VAULT_PASSWORD_FILE environment variable.
  • A vault password file must be kept out of version control (add it to .gitignore ) and locked down with chmod 600 .
  • Vault IDs (the --vault-id label@source syntax) let you manage multiple passwords, such as separate secrets for development, staging, and production.
  • In CI/CD pipelines, store the vault password as a protected pipeline secret, write it to a temporary file at runtime, and remove that file after the run.
  • Ansible Vault protects data on disk only; once decrypted at runtime, secrets live in memory and can appear in verbose output or logs, so handle them carefully.
  • If you lose a vault password, the encrypted data cannot be recovered, which is why storing vault passwords in a dedicated password or secrets manager matters.
  • For large teams scaling their automation, an external secrets manager such as HashiCorp Vault can complement or replace Ansible Vault.

Ensure you have an Ubuntu server with a non-root user having sudo access. Refer to our Initial Server Setup guide for user creation.

Install and set up Ansible on your server by following our tutorial on installing Ansible on Ubuntu. Proceed with this guide once your server meets the requirements.

Understanding Ansible Vault

Ansible Vault is a feature that allows for the seamless integration of encrypted data into Ansible workflows. The ansible-vault utility secures sensitive data by encrypting it on disk, and both ansible and ansible-playbook commands can decrypt this data during execution.

Vault operates at the file level, meaning files can be either fully encrypted or unencrypted. It also allows for inline encryption of individual values. Ansible automatically identifies and decrypts any vault-encrypted content it encounters during playbook execution, provided it has the correct password.

Encryption Method and Security Overview

Ansible Vault employs AES-256 encryption in CTR mode, deriving its encryption key from your password using PBKDF2 with HMAC-SHA256, repeated over 10,000 iterations. The strength of your vault's security largely depends on the complexity of your password and its secure storage.

It's crucial to note what Ansible Vault does not safeguard against. While it protects data at rest, once decrypted during execution, that data exists in memory and may appear in logs or verbose output. Vault does not offer per-user access control; anyone with the password can access all protected data.

With a clear understanding of Vault's capabilities, you can begin utilizing the tools Ansible provides.

Configuring the Ansible Vault Editor

Before utilizing the ansible-vault command, it's advisable to set your preferred text editor. Ansible defaults to vi if the EDITOR environment variable is not set.

To change the editor from vi, update the EDITOR variable in your environment.

If you accidentally enter a vi session, you can exit without saving by pressing Esc, typing :q!, and then hitting Enter.

To specify the editor for a single command, prepend the command with the environment variable assignment.

EDITOR = nano ansible-vault . . .

To make the editor choice persistent, open your ~/.bashrc file.

nano ~/.bashrc

Add an EDITOR assignment at the end of the file to set your preferred editor.

export EDITOR= nano

After saving and closing the file, source it to apply the changes in the current session.

. ~/.bashrc

Check that your editor setting is applied by displaying the EDITOR variable.

echo $EDITOR

The command will show the editor you have set.

nano

With your preferred editor configured, you can now explore the operations available with the ansible-vault command.

Managing Encrypted Files with ansible-vault

The ansible-vault command serves as the primary interface for handling encrypted content within Ansible, allowing you to encrypt files, view, edit, rekey, or decrypt data.

Creating Encrypted Files

To create a new encrypted file, use the ansible-vault create command followed by the desired file name.

ansible-vault create vault.yml

You will be prompted to enter and confirm a password.

New Vault password: Confirm New Vault password:

Once the password is confirmed, Ansible opens an editing window for you to input your desired content.

Secret information

Upon closing the file, Ansible encrypts the contents, replacing your input with an encrypted block.

cat vault.yml

The file will now contain a Vault header followed by the encrypted data.

$ANSIBLE_VAULT;1.1;AES256 65316332393532313030636134643235316439336133363531303838376235376635373430336333 3963353630373161356638376361646338353763363434360a363138376163666265336433633664 30336233323664306434626363643731626536643833336638356661396364313666366231616261 3764656365313263620a383666383233626665376364323062393462373266663066366536306163 31643731343666353761633563633634326139396230313734333034653238303166

The header indicates how Ansible should handle the file, followed by the encrypted content displayed in hexadecimal.

Encrypting Existing Files

To encrypt an already existing file, use the ansible-vault encrypt command.

echo 'unencrypted stuff' > encrypt_me.txt

Create a sample file for testing purposes.

ansible-vault encrypt encrypt_me.txt

Provide and confirm a password when prompted, after which Ansible will confirm the encryption.

New Vault password: Confirm New Vault password: Encryption successful

The ansible-vault command will encrypt the file's contents and overwrite the original unencrypted version.

cat encrypt_me.txt

The output will resemble that of a newly created encrypted file with a Vault header and encrypted body.

$ANSIBLE_VAULT;1.1;AES256 66633936653834616130346436353865303665396430383430353366616263323161393639393136 3737316539353434666438373035653132383434303338640a396635313062386464306132313834 34313336313338623537333332356231386438666565616537616538653465333431306638643961 3636663633363562320a613661313966376361396336383864656632376134353039663662666437 39393639343966363565636161316339643033393132626639303332373339376664

As shown, Ansible encrypts existing content similarly to new files.

Viewing Encrypted Files

To view the contents of a vault-encrypted file without editing, use the ansible-vault view command.

ansible-vault view vault.yml

You will be prompted for the file's password, and upon successful entry, the contents will be displayed.

Vault password: Secret information

Be mindful that the password prompt may appear alongside the file's output, especially in automated processes.

Editing Encrypted Files

To modify an encrypted file, use the ansible-vault edit command.

ansible-vault edit vault.yml

After entering the file's password, Ansible opens it in an editing interface for you to make changes.

Manually Decrypting Files

To decrypt a vault-encrypted file, use the ansible-vault decrypt command.

Use this command cautiously, as it permanently removes encryption from the file. For viewing or editing, prefer ansible-vault view or edit.

Provide the name of the encrypted file for decryption.

ansible-vault decrypt vault.yml

You will need to enter the encryption password, and upon doing so, the file will be decrypted.

Vault password: Decryption successful

Viewing the file again will reveal its actual contents instead of the encrypted block.

The file will now be in plain text format on disk.

Ensure to remove any sensitive information or re-encrypt the file after your modifications.

Changing the Password of Encrypted Files

To update the password of an encrypted file, use the ansible-vault rekey command.

ansible-vault rekey encrypt_me.txt

You will first be asked for the file's current password.

Vault password:

After entering it, you will choose and confirm a new vault password.

Vault password: New Vault password: Confirm New Vault password:

Upon successful confirmation, you will receive a message indicating the re-encryption was successful.

Rekey successful

The file will now be accessible with the new password, while the old password will no longer work.

Encrypting Individual Variables with ansible-vault encrypt_string

While encrypting entire files is effective, it may hinder visibility for shared projects. The ansible-vault encrypt_string command enables inline encryption of single values, allowing a readable variables file with encrypted sensitive values.

To encrypt a value and assign it a variable name, run the command with the value and the --name flag.

ansible-vault encrypt_string ' supersecretpassword ' --name ' mysql_password '

You will be prompted for a vault password, after which Ansible provides a YAML snippet ready for pasting.

New Vault password: Confirm New Vault password: mysql_password: ! vault | $ANSIBLE_VAULT ; 1.1 ; AES256 39613463343766353861393236363232383831356636373033386230623261306566653034643865 6566383437333436353331353764633033366563343631380a316234383 .. . Encryption successful

This snippet can be directly added to a regular variables file, mixing encrypted and unencrypted values.

--- # nonsensitive data mysql_port : 3306 mysql_host : 10.0.0.3 mysql_user : fred # sensitive data, encrypted inline mysql_password : !vault | $ANSIBLE_VAULT;1.1;AES256 39613463343766353861393236363232383831356636373033386230623261306566653034643865 6566383437333436353331353764633033366563343631380a316234383...

The !vault tag indicates to Ansible that the value is encrypted and will be decrypted at runtime, allowing variable names to remain visible in code review.

Executing Ansible with Vault-Encrypted Files

Once your sensitive information is encrypted with Vault, you can utilize the files with Ansible's standard tools. Both ansible and ansible-playbook commands can decrypt vault-protected content with the correct password.

To follow along, create a vault-encrypted file.

ansible-vault create secret_key

Select and confirm a password, then input any dummy content.

confidential data

Save and close the file, then create a temporary hosts file for inventory.

nano hosts

Add the Ansible localhost to the inventory file under the [database] group.

[database] localhost ansible_connection=local

Create an ansible.cfg file in the current directory if it doesn't exist.

nano ansible.cfg

Add a [defaults] section in the config file to point Ansible to your inventory.

[defaults] inventory = ./hosts

Continue to explore the different methods of providing a password.

Using an Interactive Prompt

The simplest way to decrypt content at runtime is by prompting for the password. Use the --ask-vault-pass flag with any ansible or ansible-playbook command.

For instance, to copy a vault-encrypted file's contents to a host, utilize the copy module with the --ask-vault-pass flag.

This example uses localhost to minimize server requirements, but the outcome remains the same as with a remote host.

ansible --ask-vault-pass -bK -m copy -a 'src= secret_key dest=/tmp/ secret_key mode=0600 owner=root group=root' localhost

The task specifies file ownership changes to root, requiring administrative privileges. The -bK flag prompts for the sudo password first, followed by the Vault password.

BECOME password: Vault password:

Once both passwords are provided, Ansible executes the task, utilizing the Vault password for any encrypted files found. Remember, all files referenced during a single execution must use the same password.

localhost | SUCCESS = > { "changed" : true, "checksum" : "7a2eb5528c44877da9b0250710cba321bc6dac2d" , "dest" : "/tmp/secret_key" , "gid" : 0 , "group" : "root" , "md5sum" : "270ac7da333dd1db7d5f7d8307bd6b41" , "mode" : "0600" , "owner" : "root" , "size" : 18 , "src" : "/home/sammy/.ansible/tmp/ansible-tmp-1480978964.81-196645606972905/source" , "state" : "file" , "uid" : 0 }

While prompting for a password is secure, it can become tedious for repeated runs and hinder automation; the next sections will discuss alternatives.

Using a Vault Password File

To avoid typing the Vault password each time, store it in a file and reference it during execution.

echo ' my_vault_password ' > .vault_pass

A vault password file is as sensitive as the password itself; restrict its permissions to ensure only your user can read it, and avoid committing it to version control.

Lock down the file's permissions so only your user can read it, and if using version control, add it to your ignore file.

chmod 600 .vault_pass echo '.vault_pass' >> .gitignore

Reference the file using the --vault-password-file flag to complete the same task without an interactive prompt.

ansible --vault-password-file = .vault_pass -bK -m copy -a 'src= secret_key dest=/tmp/ secret_key mode=0600 owner=root group=root' localhost

You will not be prompted for the Vault password this time.

localhost | SUCCESS = > { "changed" : false, "checksum" : "52d7a243aea83e6b0e478db55a2554a8530358b0" , "dest" : "/tmp/secret_key" , "gid" : 0 , "group" : "root" , "mode" : "0600" , "owner" : "root" , "path" : "/tmp/secret_key" , "size" : 8 , "state" : "file" , "uid" : 0 }

Automatically Reading the Password File

To eliminate the need for a flag, set the ANSIBLE_VAULT_PASSWORD_FILE environment variable to the path of your password file.

export ANSIBLE_VAULT_PASSWORD_FILE = ./.vault_pass

Now you can run commands without the --vault-password-file flag in the current session.

ansible -bK -m copy -a 'src= secret_key dest=/tmp/ secret_key mode=0600 owner=root group=root' localhost

To make the password file location persistent across sessions, edit your ansible.cfg file.

In the [defaults] section, set the vault_password_file option to your password file's location.

[defaults] . . . vault_password_file = ./.vault_pass

With this configuration, you will no longer be prompted for the vault password during command execution.

Reading the Password from an Environment Variable

If you're concerned about accidentally committing your password file, you can make it executable and run it as a script to retrieve the password.

Open your .vault_pass file in your editor.

nano .vault_pass

Replace its contents with a script that reads the password from an environment variable.

#!/usr/bin/env python3 import os print ( os . environ [ 'VAULT_PASSWORD' ] )

Make the file executable.

chmod +x .vault_pass

Set and export the VAULT_PASSWORD environment variable for your current session.

export VAULT_PASSWORD = my_vault_password

Although this may seem inconvenient, it prevents accidental commits since the password is never written to disk.

Managing Multiple Vault Passwords

As projects expand, a single password may not suffice for all secrets. Separate passwords for development, staging, and production environments are often desirable.

Vault IDs utilize the label@source syntax, where source can be a password file or the keyword prompt.

ansible-vault encrypt_string --vault-id prod@prompt ' RealProductionPassword ' --name ' vault_db_password '

When encrypting a string with a production vault ID, you will be prompted for the password.

$ANSIBLE_VAULT ; 1.2 ; AES256 ; prod

Using a labeled vault ID, the label is recorded in the header of the encrypted block.

ansible-playbook site.yml --vault-id dev@dev_pass --vault-id prod@prompt

When executing a playbook, you can supply multiple vault IDs, and Ansible will attempt each one as needed.

Using Vault-Encrypted Variables with Regular Variables

Ansible Vault is primarily used to protect sensitive variables. This section illustrates how to transform a regular variables file into a configuration that balances security and usability.

Example Setup

Imagine configuring a database server without actually installing a database. You previously placed the localhost entry in a group called database.

mkdir -p group_vars nano group_vars/database.yml

In the group_vars/database.yml file, add typical variables, separating sensitive from non-sensitive ones.

--- # nonsensitive data mysql_port : 3306 mysql_host : 10.0.0.3 mysql_user : fred # sensitive data mysql_password : supersecretpassword

Test that all variables are available using Ansible's debug module and the hostvars variable.

ansible -m debug -a 'var=hostvars[inventory_hostname]' database

The output will confirm that all defined variables are applied to the host.

localhost | SUCCESS = > { "hostvars[inventory_hostname]" : { "ansible_check_mode" : false, "ansible_version" : { "full" : "2.18.1" , "major" : 2 , "minor" : 18 , "revision" : 1 , "string" : "2.18.1" } , "group_names" : [ "database" ] , "groups" : { "all" : [ "localhost" ] , "database" : [ "localhost" ] , "ungrouped" : [ ] } , "inventory_dir" : "/home/sammy" , "inventory_file" : "hosts" , "inventory_hostname" : "localhost" , "inventory_hostname_short" : "localhost" , "mysql_host" : "10.0.0.3" , "mysql_password" : "supersecretpassword" , "mysql_port" : 3306 , "mysql_user" : "fred" , "omit" : "__omit_place_holder__1c934a5a224ca1d235ff05eb9bda22044a6fb400" , "playbook_dir" : "." } }

Currently, the group_vars/database.yml file contains all variables together, which presents a security risk if left unencrypted.

To address this, distinguish between sensitive and non-sensitive variables, allowing encryption of confidential values while sharing others.

Use a variable directory instead of a single variable file to apply variables from multiple files.

Rename the existing file from database.yml to vars.yml, which will be your unencrypted variable file.

mv group_vars/database.yml group_vars/vars.yml

Create a directory named after the old variable file and move vars.yml inside it.

mkdir group_vars/database mv group_vars/vars.yml group_vars/database/

Now, you have a variable directory for the database group and one unencrypted variable file.

nano group_vars/database/vars.yml

Remove sensitive data from the unencrypted file, such as mysql_password.

--- # nonsensitive data mysql_port : 3306 mysql_host : 10.0.0.3 mysql_user : fred

Create a vault-encrypted file in the directory alongside the unencrypted vars.yml file.

ansible-vault create group_vars/database/vault.yml

In this vault file, define sensitive variables with the prefix vault_.

--- vault_ mysql_password : supersecretpassword

After saving, your directory structure will reflect the separation of sensitive and non-sensitive variables.

. ├── . . . ├── group_vars/ │ └── database/ │ ├── vars.yml │ └── vault.yml └── . . .

While this structure enhances security, it reduces usability by obscuring variable names.

Referencing Vault Variables from Unencrypted Variables

Add the original variable names back to the unencrypted file, using Jinja2 templating to reference the encrypted variables.

Open the unencrypted variables file and reintroduce the mysql_password variable using Jinja2 templating.

The mysql_password variable should reference vault_mysql_password defined in the vault file.

--- # nonsensitive data mysql_port : 3306 mysql_host : 10.0.0.3 mysql_user : fred # sensitive data mysql_password : "{{ vault_mysql_password }}"

This method allows you to see all variables in a single file while keeping sensitive values hidden.

You can verify that all mysql_* variables are correctly applied as before.

If the Vault password isn't automatically applied, add the --ask-vault-pass flag.

The output will show both variables resolving to the same secret value.

localhost | SUCCESS = > { "hostvars[inventory_hostname]" : { "ansible_check_mode" : false, "ansible_version" : { "full" : "2.18.1" , "major" : 2 , "minor" : 18 , "revision" : 1 , "string" : "2.18.1" } , "group_names" : [ "database" ] , "groups" : { "all" : [ "localhost" ] , "database" : [ "localhost" ] , "ungrouped" : [ ] } , "inventory_dir" : "/home/sammy/vault" , "inventory_file" : "./hosts" , "inventory_hostname" : "localhost" , "inventory_hostname_short" : "localhost" , "mysql_host" : "10.0.0.3" , "mysql_password" : "supersecretpassword" , "mysql_port" : 3306 , "mysql_user" : "fred" , "omit" : "__omit_place_holder__6dd15dda7eddafe98b6226226c7298934f666fc8" , "playbook_dir" : "." , "vault_mysql_password" : "supersecretpassword" } }

Both vault_mysql_password and mysql_password will be accessible without affecting system usage.

Comparing Ansible Vault with Other Secrets Management Methods

Ansible Vault is one of several methods for managing secrets in automation, with the right choice depending on team size and workflow.

Ansible Vault is ideal for small to mid-sized teams needing encrypted secrets at rest, while environment variables are simpler but lack encryption. External secrets managers offer more robust options for larger organizations.

Best Practices for Managing Secrets with Ansible Vault

Follow these habits to ensure a secure and maintainable vault workflow:

  • Keep the vault password file outside version control and restrict it with chmod 600 , and add unencrypted secret files to .gitignore so they are never committed.
  • Prefer ansible-vault encrypt_string for individual values in shared repositories so reviewers can still see variable names, and reserve whole-file encryption for files that are entirely sensitive.
  • Use a clear naming convention, such as the vault_ prefix, so it is obvious which variables come from an encrypted source.
  • Separate vault IDs by environment (for example dev , staging , and prod ) so that access to one environment’s secrets does not grant access to another’s.
  • Rotate vault passwords on a defined schedule using ansible-vault rekey , and rotate immediately if a password may have been exposed.
  • Store the vault passwords themselves in a dedicated password manager or secrets manager, because losing a vault password means the encrypted data cannot be recovered.
  • Use no_log: true on any task that handles a decrypted secret to prevent the value from appearing in task output, logs, or Ansible Tower / AWX job results. For example: - name : Create database user community.mysql.mysql_user : name : "{{ mysql_user }}" password : "{{ mysql_password }}" state : present no_log : true Vault protects data on disk; no_log protects it at runtime. Both controls together give you defense in depth.
  • Although ansible-vault encrypt works on any file including entire playbooks, whole-playbook encryption is rarely practical in team settings because it prevents anyone from reading the task list without decrypting it first. Prefer encrypting only the variables files that contain secrets, and keep your playbooks in plain text.

1. Can you use Ansible Vault for sensitive information?

Yes, Ansible Vault is intended for securely storing sensitive data such as passwords and API keys by encrypting them at rest.

2. How do you encrypt a file with Ansible Vault?

Use ansible-vault encrypt filename.yml to encrypt an existing file or ansible-vault create filename.yml to create a new encrypted file.

3. How secure is Ansible Vault?

Ansible Vault employs AES-256 encryption, with security reliant on the strength of the password chosen.

4. Which feature should you use for securely managing sensitive data in Ansible?

Ansible Vault is the built-in option for managing sensitive data, encrypting secrets and integrating seamlessly with Ansible commands.

5. What's the difference between ansible-vault encrypt and encrypt_string?

ansible-vault encrypt encrypts entire files, while encrypt_string encrypts single values inline for easier readability.

6. How do you use a vault password file?

Store the password in a file and use the --vault-password-file flag, or set the ANSIBLE_VAULT_PASSWORD_FILE environment variable.

7. Can Ansible Vault be used in CI/CD pipelines?

Yes, store the vault password as a protected pipeline secret and write it to a temporary file during the run.

For GitLab CI, set VAULT_PASSWORD as a masked variable and delete the temporary file after use.

- name : Run playbook env : VAULT_PASSWORD : $ { { secrets.VAULT_PASSWORD } } run : | echo "$VAULT_PASSWORD" > .vault_pass chmod 600 .vault_pass ansible-playbook site.yml --vault-password-file .vault_pass rm -f .vault_pass

8. What if you lose your Ansible Vault password?

If you lose the password, the encrypted data cannot be recovered, so store vault passwords securely.

In this guide, you learned about Ansible Vault's encryption methods, how to encrypt files and variables, and how to manage passwords securely.

To enhance your Ansible skills, explore additional tutorials related to Ansible and configuration management.

Discover more about our offerings.

  • How to Install and Configure Ansible on Ubuntu
  • Configuration Management 101: Writing Ansible Playbooks
  • How to Use Ansible: A Reference Guide
  • How To Write Ansible Playbooks
  • An Introduction to Configuration Management with Ansible

Learn more about our product offerings.

Author Information

Former Technical Writer with expertise in DevOps and Linux distributions.

With extensive experience in tech publishing, the author specializes in creating clear and concise content for developers.

This textbox defaults to using Markdown to format your answer.

You can use !ref to search our full set of tutorials and documentation.

Is there a recommended key length for the Ansible vault password?

I'm looking for a solution to securely hold my database and API credentials. Will this method help?

Can I use ansible-vault without configuring the entire Ansible platform?

What recommendations do you have for my specific needs?

This comment has been deleted.

Can we add multiple keys and values to the vault file and reference them in variables?

Highlighted Tutorials

  • All tutorials
  • All topic tags

Please provide your information!

  • Table of contents
  • Introduction
  • Prerequisites
  • What is Ansible Vault?
  • Setting the Ansible Vault editor
  • Managing sensitive files with `ansible-vault`
  • Encrypting individual variables with `ansible-vault encrypt_string`
  • Running Ansible with vault-encrypted files
  • Working with multiple vault passwords
  • Using vault-encrypted variables with regular variables
  • Ansible Vault compared with environment variables and external secrets managers
  • Best practices for managing secrets with Ansible Vault
  • FAQs
  • Conclusion
  • Ubuntu
  • Linux Basics
  • JavaScript
  • Python
  • MySQL
  • Docker
  • Kubernetes
  • All tutorials
  • Talk to an expert
  • Featured tutorials SOLID Design Principles Explained: Building Better Software Architecture
  • How To Remove Docker Images, Containers, and Volumes
  • How to Create a MySQL User and Grant Privileges (Step-by-Step)
  • All tutorials
  • All topic tags

Get compensated for writing technical tutorials and choose a charity for matching donations.

Complete DigitalOcean Documentation.

Access comprehensive documentation for all DigitalOcean products.

Resources for startups and AI-native businesses.

The Wave provides insights on building a business, from funding to marketing.

The developer cloud for scaling your applications.

Start building today with tools for intelligent applications.

Explore our product offerings.

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.

  • About
  • Leadership
  • Blog
  • Careers
  • Customers
  • Partners
  • Referral Program
  • Press
  • Legal
  • Privacy Policy
  • Security
  • Investor Relations
  • GPU Droplets
  • Bare Metal GPUs
  • Inference Engine
  • Data & Learning
  • Model Library
  • Droplets
  • Kubernetes
  • Functions
  • App Platform
  • Load Balancers
  • Managed Databases
  • Spaces
  • Block Storage
  • Network File Storage
  • API
  • Uptime
  • Cloud Security Posture Management (CSPM)
  • Identity and Access Management (IAM)
  • Cloudways
  • View all Products
  • Community Tutorials
  • Community Q&A
  • CSS-Tricks
  • Currents Research
  • DigitalOcean Startups
  • Wavemakers Program
  • Compass Council
  • Open Source
  • Marketplace
  • Pricing
  • Pricing Calculator
  • Documentation
  • Release Notes
  • Code of Conduct
  • Shop Swag
  • AI Training GPU
  • GPU Inference
  • VPS Hosting
  • Website Hosting
  • VPN
  • Docker Hosting
  • Node.js Hosting
  • Web Mobile Apps
  • WordPress Hosting
  • Virtual Machines
  • View all Solutions
  • Support
  • Sales
  • Report Abuse
  • System Status
  • Share your ideas
  • About
  • Leadership
  • Blog
  • Careers
  • Customers
  • Partners
  • Referral Program
  • Press
  • Legal
  • Privacy Policy
  • Security
  • Investor Relations
  • GPU Droplets
  • Bare Metal GPUs
  • Inference Engine
  • Data & Learning
  • Model Library
  • Droplets
  • Kubernetes
  • Functions
  • App Platform
  • Load Balancers
  • Managed Databases
  • Spaces
  • Block Storage
  • Network File Storage
  • API
  • Uptime
  • Cloud Security Posture Management (CSPM)
  • Identity and Access Management (IAM)
  • Cloudways
  • View all Products
  • Community Tutorials
  • Community Q&A
  • CSS-Tricks
  • Currents Research
  • DigitalOcean Startups
  • Wavemakers Program
  • Compass Council
  • Open Source
  • Marketplace
  • Pricing
  • Pricing Calculator
  • Documentation
  • Release Notes
  • Code of Conduct
  • Shop Swag
  • AI Training GPU
  • GPU Inference
  • VPS Hosting
  • Website Hosting
  • VPN
  • Docker Hosting
  • Node.js Hosting
  • Web Mobile Apps
  • WordPress Hosting
  • Virtual Machines
  • View all Solutions
  • Support
  • Sales
  • Report Abuse
  • System Status
  • Share your ideas

Want help putting this into practice?

Global Outreach builds ERP, VoIP, and custom software for businesses in Pakistan.

Start a conversation

Related articles

Related article cover image: "Serverless Inference" (DevOps Tutorials)
DevOps Tutorials

Serverless Inference

Related article cover image: "Boost Agent Skills" (DevOps Tutorials)
DevOps Tutorials

Boost Agent Skills

Related article cover image: "AI Maturity" (DevOps Tutorials)
DevOps Tutorials

AI Maturity

← All posts