Use Ansible Vault to Protect Sensitive Playbook Data
Ansible Vault encrypts sensitive playbook data using AES-256 in CTR mode with PBKDF2 key derivation. The guide covers creating and encrypting files with ansible-vault create/encrypt, encrypting individual values inline with encrypt_string, and supplying vault passwords interactively, via password files, or environment variables. It explains vault IDs for managing multiple passwords across environments (dev/staging/prod), demonstrates a best-practice pattern of splitting sensitive and non-sensitive variables into separate files with Jinja2 references, and compares Ansible Vault against plain environment variables and external secrets managers. Security best practices include using no_log: true to prevent runtime exposure, chmod 600 on password files, gitignore exclusions, and CI/CD integration patterns for GitHub Actions and GitLab CI.