How to safely handle passwords and secrets in Ansible playbooks?

[0xBAD-B0T]

Hi! I'm starting to automate my HomeLab setup with Ansible. I want to automate the installation of my database and my VPN, but these require passwords and private keys.

I'm worried about security:

Is it safe to leave passwords in plain text inside my vars.yml files, even if my GitHub repository is private?

What is the standard way to encrypt sensitive data so that I can still run my playbooks easily without exposing my credentials?

I've heard about Ansible Vault, but is it too complex for a beginner, or is there a simpler way for a small lab?

[matxsu]

Never store secrets in plain text, especially not in a Git repo (even a private one).

The best tool for this is indeed Ansible Vault. It’s actually very beginner-friendly:

Encryption: You can encrypt just one variable or an entire file using ansible-vault encrypt credentials.yml. You’ll be asked for a password.

Usage: When you run your playbook, you just add the flag --ask-vault-pass, and Ansible will decrypt the secrets in memory during the execution.

Security Tip: For your HomeLab, you can store your Vault password in a local file (outside of your Git folder) and use the --vault-password-file flag to automate the process without typing the password every time.

Alternative: If you want to go further later, you can look into HashiCorp Vault, but for 99% of HomeLabs, Ansible Vault is the perfect balance between security and simplicity.