Ansible Vault takes care of passwords that are checked in and helps you to handle them while running Ansible playbooks or commands. However, when Ansible plays are run, at times, you might need your users to enter passwords. You also want to make sure that these passwords don't appear in the comprehensive Ansible logs (the default /var/log/ansible.log location) or on stdout.
Ansible uses Passlib, which is a password-hashing library for Python, to handle encryption for prompted passwords. You can use any of the following algorithms supported by Passlib:
- des_crypt: DES crypt
- bsdi_crypt: BSDi crypt
- bigcrypt: BigCrypt
- crypt16: Crypt16
- md5_crypt: MD5 crypt
- bcrypt: BCrypt
- sha1_crypt: SHA-1 crypt
- sun_md5_crypt: Sun MD5 crypt
- sha256_crypt: SHA-256 crypt
- sha512_crypt: SHA-512 crypt
- apr_md5_crypt: Apache's MD5-crypt variant
- phpass: PHPass portable hash...
