RHCE 9.0 Practice Exam: Creating an Ansible Vault for Password Storage

📌 Introduction

In this RHCE 9.0 Ansible exam practice guide, we will securely store sensitive information, such as user passwords, using Ansible Vault. Ansible Vault allows us to encrypt and protect sensitive data, ensuring passwords are not exposed in plaintext within playbooks or configuration files.

This guide includes:

• Step-by-step instructions to create an encrypted vault
• How to automatically use a vault password file
• How to encrypt and decrypt password variables
• How to verify encryption and troubleshoot common issues

💡 What You Will Learn

✅ How to create an Ansible Vault for password storage
✅ How to use ansible-vault create to store sensitive information securely
✅ How to configure ansible.cfg to auto-load the vault password
✅ How to verify encrypted files and decrypt them when needed

📜 1. Task Requirements

📍 1.1. Problem Statement

1. Create an Ansible Vault named /home/greg/ansible/locker.yml.
2. Store two password variables inside the vault:
   • pw_developer: Imadev
   • pw_manager: Imamgr
3. Use the vault password: whenyouwishuponastar
4. Store the vault password inside a file at /home/greg/ansible/secret.txt
5. Configure ansible.cfg to use the vault password file automatically.
6. Verify encryption and decryption using ansible-vault.

📜 2. Writing the Ansible Vault Playbook

📍 2.1. Configure Ansible to Use a Vault Password File

$ vim /home/greg/ansible/ansible.cfg

📄 Add the Following Content

[defaults]
vault_password_file = /home/greg/ansible/secret.txt

📌 Explanation:

• vault_password_file = /home/greg/ansible/secret.txt → This tells Ansible to automatically use the vault password stored in secret.txt.

📍 2.2. Store the Vault Password in a File

$ echo whenyouwishuponastar > /home/greg/ansible/secret.txt
$ chmod 600 /home/greg/ansible/secret.txt

📌 Explanation:

• The vault password is saved to secret.txt.
• chmod 600 restricts access to the file so only the owner can read and write.

📍 2.3. Create an Encrypted Vault File

$ ansible-vault create /home/greg/ansible/locker.yml

📌 This command will prompt for a password (we use whenyouwishuponastar).

📌 Once inside the editor, add the following content:

---
pw_developer: Imadev
pw_manager: Imamgr

📌 Explanation:

• Creates a new encrypted file (locker.yml).
• Stores user passwords securely.

📍 2.4. Verify That the File Is Encrypted

$ cat /home/greg/ansible/locker.yml

📌 Expected Output (Encrypted Content)

$ANSIBLE_VAULT;1.1;AES256
3863666662376132653636383666306664633665636166366465323533396130663431393932663
3038366162383733643633383935663431376163646639350a39343666356636663130306465393
6337303063633334336262313065363336363033646164626236323964333535346665353464313
...

✅ This confirms that the file is successfully encrypted.

📜 3. Viewing and Editing the Encrypted Vault

📍 3.1. View the Vault Contents

$ ansible-vault view /home/greg/ansible/locker.yml

📌 Expected Output

---
pw_developer: Imadev
pw_manager: Imamgr

✅ This confirms that the vault decryption is working.

📍 3.2. Edit the Vault File

$ ansible-vault edit /home/greg/ansible/locker.yml

📌 This allows you to modify the contents of the encrypted vault.

📍 3.3. Encrypt an Existing File

$ ansible-vault encrypt /home/greg/ansible/locker.yml

📌 This encrypts an already existing plaintext file.

📍 3.4. Decrypt an Encrypted File

$ ansible-vault decrypt /home/greg/ansible/locker.yml

📌 This permanently removes encryption from the file.

📜 4. Verifying Encryption in Playbooks

To ensure that Ansible can use encrypted variables within playbooks, follow these steps:

📍 4.1. Create a Test Playbook

$ vim /home/greg/ansible/test_vault.yml

📄 Add the Following Content

---
- name: Test Ansible Vault Variables
  hosts: localhost
  tasks:
    - name: Show Encrypted Passwords
      debug:
        msg: 
          - "Developer Password: {{ pw_developer }}"
          - "Manager Password: {{ pw_manager }}"

📌 Explanation:

• This playbook retrieves passwords from the vault and displays them.

📍 4.2. Run the Playbook

$ ansible-playbook /home/greg/ansible/test_vault.yml

📌 Expected Output

TASK [Show Encrypted Passwords] ********************************************
ok: [localhost] => {
    "msg": [
        "Developer Password: Imadev",
        "Manager Password: Imamgr"
    ]
}

✅ This confirms that the encrypted variables are correctly retrieved and used.

📜 5. Common Issues & Troubleshooting

🔴 Issue 1: ERROR! Decryption failed

✅ Solution:

• Ensure the correct vault password is used.

Manually specify the password file if needed:

$ ansible-vault view /home/greg/ansible/locker.yml --vault-password-file=/home/greg/ansible/secret.txt

Verify that the password in secret.txt matches the vault password:

$ cat /home/greg/ansible/secret.txt

🔴 Issue 2: Ansible Playbook Cannot Access Encrypted Variables

✅ Solution:

Run the playbook with --ask-vault-pass if needed:

$ ansible-playbook /home/greg/ansible/test_vault.yml --ask-vault-pass

Ensure ansible.cfg includes the correct vault password file:

[defaults]
vault_password_file = /home/greg/ansible/secret.txt

🔴 Issue 3: File Not Encrypted

✅ Solution:

Check if the file is already encrypted:

$ cat /home/greg/ansible/locker.yml

If the file is in plaintext, encrypt it manually:

$ ansible-vault encrypt /home/greg/ansible/locker.yml

📜 6. Summary

• Created a secure Ansible Vault file (locker.yml) to store passwords.
• Configured ansible.cfg to automatically load the vault password.
• Verified encryption and decryption using ansible-vault view.
• Used the encrypted passwords in an Ansible playbook.
• Troubleshot common encryption and decryption errors.

🚀 Congratulations! You have successfully implemented Ansible Vault to securely store passwords for RHCE 9.0! 🚀
📢 If you found this guide helpful, share it with your RHCE 9.0 study group! 📢

🔥 Good luck on your RHCE 9.0 exam! 🔥