PowerShell module that allows you to encrypt and decrypt Ansible Vault files natively in Windows.
This PowerShell module contains 2 PowerShell cmdlets that are used to encrypt and decrypt and Ansible Vault files without having Ansible installed. The two cmdlets that are added are
Get-DecryptedAnsibleVaultGet-EncryptedAnsibleVault
I've also written a blog post around this at Decrypting the secrets of Ansible Vault in PowerShell.
Decrypt an Ansible Vault string and return the plaintext.
# By Value/String
Get-DecryptedAnsibleVault
-Value <String>
-Password <SecureString>
[[-Encoding] <System.Text.Encoding>]
# From path
Get-DecryptedAnsibleVault
-Path <String>
-Password <SecureString>
[[-Encoding] <System.Text.Encoding>]
# With pipeline input
"`$ANSIBLE_VAULT;1.1;AES256;`n00010203040506070809" | Get-DecryptedAnsibleVault
-Password <SecureString>
[[-Encoding] <System.Text.Encoding>]
Value: The Ansible Vault text as a string to decrypt, this is mutually exclusive to thePathparameterPath: The path to a vault file whose contents will be decrypted, this is mutually exclusive to theValueparameterPassword: The password to use when decrypting the contents
Encoding: <System.Text.Encoding> The string encoding of the decrypted bytes. By default will beUTF8but if the original plaintext was encrypted with a different encoding type, this can override the output to what is needed
<String>: A string can be passed as a pipeline input as theValueparameter
<String>: The decrypted vault contents as a string
Create an encrypted string that is compatible with Ansible Vault.
# By Value/String
Get-EncryptedAnsibleVault
-Value <String>
-Password <SecureString>
[[-Id] <String>]
# From Path
Get-EncryptedAnsibleVault
-Path <String>
-Password <SecureString>
[[-Id] <String>]
# With pipeline input
"plaintext" | Get-EncryptedAnsibleVault
-Password <SecureString>
[[-Id] <String>]
Value: The string to encrypt, this is mutually exclusive to thePathparameterPath: The path to a file whose contents will be encrypted, this is mutually exclusive to theValueparameterPassword: The password to use when encrypting the contents
Id: If specified, the vault will be encrypted and this ID will be set in the header
<String>: A string can be passed as a pipeling input as theValueparameter
<String>: The encrypted vault contents as a string
These cmdlets have the following requirements
- PowerShell v3.0 or newer
- Windows PowerShell (not PowerShell Core)
- Windows Server 2008 R2/Windows 7 or newer
The easiest way to install this module is through PowerShellGet. This is installed by default with PowerShell 5 but can be added on PowerShell 3 or 4 by installing the MSI here.
Once installed, you can install this module by running;
# Install for all users
Install-Module -Name AnsibleVault
# Install for only the current user
Install-Module -Name AnsibleVault -Scope CurrentUser
If you wish to remove the module, just run
Uninstall-Module -Name AnsibleVault.
If you cannot use PowerShellGet, you can still install the module manually, here are some basic steps on how to do this;
- Download the latext zip from GitHub here
- Extract the zip
- Copy the folder
AnsibleVaultinside the zip to a path that is set in$env:PSModulePath. By default this could beC:\Program Files\WindowsPowerShell\ModulesorC:\Users\<user>\Documents\WindowsPowerShell\Modules - Reopen PowerShell and unblock the downloaded files with
$path = (Get-Module -Name AnsibleVault -ListAvailable).ModuleBase; Unblock-File -Path $path\*.psd1; Unblock-File -Path $path\Public\*.ps1; Unblock-File -Path $path\Private\*.ps1 - Reopen PowerShell one more time and you can start using the cmdlets
Note: You are not limited to installing the module to those example paths, you can add a new entry to the environment variable PSModulePath if you want to use another path.
Here are some examples that imitate the existing ansible-vault commands;
# store the password as a secure string
$password = Read-Host -Prompt "Enter the vault password" -AsSecureString
# ansible-vault encrypt
Get-EncryptedAnsibleVault -Path vault.yml -Password $password | Set-Content -Path vault.yml
# ansible-vault encrypt_string --stdin-name 'vault_variable'
$vault_text = Read-Host -Prompt "Enter string to encrypt" | Get-EncryptedAnsibleVault -Password $password
Write-Output -InputObject "vault_variable: !vault |`n $($vault_text.Replace("`n", "`n "))"
# ansible-vault decrypt
Get-DecryptedAnsibleVault -Path vault.yml -Password $password | Set-Content -Path vault.yml
# ansible-vault view
Get-DecryptedAnsibleVault -Path vault.yml -Password $password
# ansible-vault rekey
$old_pass = Read-Host -Prompt "Enter the original vault password" -AsSecureString
$new_pass = Read-Host -Prompt "Enter the new vault password" -AsSecureString
Get-DecryptedAnsibleVault -Path vault.yml -Password $old_pass | Get-EncryptedAnsibleVault -Password $new_pass | Set-Content -Path vault.yml
# ansible-vault encrypt --vault-id dev@prompt
Get-EncryptedAnsibleVault -Value "some secret" -Id dev -Password (Read-Host -Prompt "Enter the password" -AsSecureString)
You are not limited to the above, you can store the outputs in variables and call these cmdlets in whatever way.
Contributing is quite easy, fork this repo and submit a pull request with the
changes. To test out your changes locally you can just run .\build.ps1 in
PowerShell. This script will ensure all dependencies are installed before
running the test suite.
Note: this requires PowerShellGet or WMF 5 to be installed
- See if it is possible to integrate with vim or some other cli editor if it is installed (
ansible-vault create/edit) - Look at using Rfc2898DeriveBytes if it is available on the host to add support for PowerShell Core