Encrypting the database credentials
Earlier while creating database users, we provided the passwords as plain text in group_vars. This can be a potential threat, especially when checked into a version control repository. Let's encrypt it. We will use the encrypt subcommand as we already have a variables file.
Since we are using the group_vars group to provide database credentials, we will encrypt the group_vars/all file as follows:
$ ansible-vault encrypt group_vars/all Vault password: Confirm Vault password: Encryption successful
For encryption, Ansible-vault asks for a password or key to be entered by the user. Using this key, the vault encrypts the data and replaces the file with the encrypted content. The following diagram shows the plain text content on the left and the equivalent encrypted content on the right for the group_vars/all file:
This file now can be safely checked into a version control system and shared. However, the following are the caveats users should be aware of...
