spin vault
Encrypt & decrypt files with "Ansible Vault". Accepts any command that ansible-vault
accepts.
Usage
Usage for "spin vault"
spin vault <ansible-vault-action>
Actions
The spin vault
command will intelligently pass any arguments to your local ansible-vault
binary or to Docker if Ansible is not installed locally. It will also accept any commands that are documented with ansible-vault
.
Most popular actions
edit
: Edit an encrypted fileencrypt
: Encrypt an unencrypted filedecrypt
: Decrypt an encrypted file
Official Documentation & Additional Options
More actions and syntax reference can be found in the official documentation.
Examples
Encrypt a file
spin vault encrypt myfile.txt
Edit an encrypted file
spin vault edit myfile.txt
Special notes
This command will automatically run ansible vault
via Docker if you do not have Ansible installed on your system. The only major downfall to this approach is when it comes to editing your secret files, you will need to do this all through vi
, which can be pretty annoying.
If you'd like a better experience, you may want to consider installing and configuring Ansible on your local machine so you can edit your secrets with your favorite editor.
Editing secrets with Sublime Text
It's possible to edit your secrets with Sublime Text, but it requires a bit of setup. You'll need to install Ansible to your system.
Once Ansible is installed and you're able to execute ansible-vault
locally, you'll then need to set Sublime Text as your editor.
Set Sublime Text as your editor
export EDITOR="subl -w"
Add this to your ~/.bashrc
or ~/.zshrc
file to make it permanent.
Saving the file
When you save the file with, Ansible Vault will automatically re-encrypt the file for you. You don't need to do anything else.
Automating Vault Access
If you're constantly being asked to provide a vault password, you can speed up your workflow by securely saving your password to a .vault-password
file in your project root.
If that file exists, Ansible will automatically load the password from that file.
Never commit .vault-password
to your repository. It should be added to your .gitignore
file.