RHCE 9.0 Practice Exam: Updating Ansible Vault Encryption Key

CloudNetOps

CloudNetOps

β€” 3 min read
Expertise in Cloud, Networking & DevOps
Photo by Marc PEZIN / Unsplash

πŸ“Œ Introduction

In this RHCE 9.0 Ansible exam practice guide, we will update the encryption key of an existing Ansible Vault. Rekeying an Ansible Vault allows us to rotate encryption keys securely while maintaining data confidentiality.

This guide includes:

  • How to download and encrypt an Ansible Vault file
  • How to update an existing Ansible Vault password
  • How to verify the rekeyed vault
  • How to troubleshoot common vault password issues

πŸ’‘ What You Will Learn

βœ… How to download an encrypted Ansible Vault file
βœ… How to rekey an existing Ansible Vault using ansible-vault rekey
βœ… How to verify that the new password works correctly
βœ… How to troubleshoot Ansible Vault encryption issues

πŸ“œ 1. Task Requirements

πŸ“ 1.1. Problem Statement

  1. Download an Ansible Vault file (salaries.yml) from http://classroom/materials/salaries.yml and save it in /home/greg/ansible/.
  2. The current vault password is insecure8sure.
  3. The new vault password should be updated to bbs2you9527.
  4. The Vault must remain encrypted after the password change.
  5. Verify that the new password works by attempting to decrypt the file.

πŸ“œ 2. Download the Encrypted Vault File

$ wget http://classroom/materials/salaries.yml -O /home/greg/ansible/salaries.yml

πŸ“Œ Explanation:

  • Downloads the existing Ansible Vault file from the classroom materials.
  • Saves it as salaries.yml in the Ansible working directory.

πŸ“œ 3. Updating the Vault Password (Rekeying)

πŸ“ 3.1. Rekey the Vault Using ansible-vault rekey

$ ansible-vault rekey --ask-vault-pass /home/greg/ansible/salaries.yml

πŸ“Œ Expected Prompt & Input:

Vault password: insecure8sure
New Vault password: bbs2you9527
Confirm New Vault password: bbs2you9527
Rekey successful

πŸ“Œ Explanation:

  • --ask-vault-pass β†’ Prompts for the current vault password.
  • User enters the existing password (insecure8sure).
  • User enters the new password (bbs2you9527) twice to confirm.
  • The Vault remains encrypted, but now uses the new password.

πŸ“œ 4. Verifying the New Vault Password

πŸ“ 4.1. Attempt to View the File with the New Password

$ ansible-vault view --ask-vault-pass /home/greg/ansible/salaries.yml

πŸ“Œ Expected Prompt & Input:

Vault password: bbs2you9527

πŸ“Œ Expected Output:

haha

βœ… The vault was successfully decrypted using the new password.

πŸ“œ 5. Automating Vault Password Usage

To avoid manually entering the vault password, store it in a password file.

πŸ“ 5.1. Save the New Vault Password in a File

$ echo bbs2you9527 > /home/greg/ansible/new_secret.txt
$ chmod 600 /home/greg/ansible/new_secret.txt

πŸ“Œ Explanation:

  • The vault password is saved to new_secret.txt.
  • chmod 600 restricts access to the file so only the owner can read and write.

πŸ“ 5.2. Configure ansible.cfg to Use the Password File

$ vim /home/greg/ansible/ansible.cfg

πŸ“Œ Add the following content:

[defaults]
vault_password_file = /home/greg/ansible/new_secret.txt

πŸ“Œ Now, Ansible Vault commands will automatically use the stored password.

πŸ“œ 6. Running Ansible Vault Commands with the New Password

πŸ“ 6.1. Verify Vault Decryption Without Password Prompt

$ ansible-vault view /home/greg/ansible/salaries.yml

πŸ“Œ Expected Output (without entering a password manually):

haha

βœ… Vault decryption now works automatically using the password file.

πŸ“œ 7. Common Issues & Troubleshooting

πŸ”΄ Issue 1: ERROR! Decryption failed

βœ… Solution:

If the file is corrupted, try re-encrypting it:

$ ansible-vault encrypt /home/greg/ansible/salaries.yml

Manually specify the password file:

$ ansible-vault view /home/greg/ansible/salaries.yml --vault-password-file=/home/greg/ansible/new_secret.txt

Verify that you are using the correct password:

$ cat /home/greg/ansible/new_secret.txt

πŸ”΄ Issue 2: Ansible Vault Password File Not Working

βœ… Solution:

Ensure the password file has the correct permissions:

$ chmod 600 /home/greg/ansible/new_secret.txt

Ensure that ansible.cfg includes the correct vault password file:

[defaults]
vault_password_file = /home/greg/ansible/new_secret.txt

πŸ”΄ Issue 3: Rekey Operation Fails

βœ… Solution:

  • Ensure you are entering the correct current password.

Ensure the vault file exists:

$ ls -l /home/greg/ansible/salaries.yml

πŸ“œ 8. Summary

  • Downloaded an existing Ansible Vault file (salaries.yml).
  • Used ansible-vault rekey to update the Vault password from insecure8sure to bbs2you9527.
  • Verified that the new password worked by decrypting the file.
  • Automated the Vault password handling using a password file (new_secret.txt).
  • Troubleshot common encryption and decryption errors.

πŸš€ Congratulations! You have successfully updated the encryption key for an Ansible Vault in RHCE 9.0! πŸš€
πŸ“’ If you found this guide helpful, share it with your RHCE 9.0 study group! πŸ“’

πŸ”₯ Good luck on your RHCE 9.0 exam! πŸ”₯

Read more