Hi everyone,
I read about encrypted variables in the ansible documentation that the best practice to manage encrypted variables (only variables not the whole yml file) is to use a var file and a vault file in groups_vars.
Does it make sense to do the same also for hosts?
For example host_vars/hostname with inside:
var file (unencrypted content)
vault file (encrypted content)
Is it a common practice?
Thanks
It does make sense to store secrets in an encrypted vars file.
One downside of this approach is that the var names in that file also
go under the radar.
So hard to find in git commits etc because the entire file is encrypted.
It you just have one or two secrets then I'd use inline encrypted vars:
https://docs.ansible.com/ansible/latest/user_guide/vault.html#use-encrypt-string-to-create-encrypted-variables-to-embed-in-yaml
I find this especially useful for structured vars like dicts or lists
that only contain one or two secrets.
Dick
Thanks Dick, I just tried to encrypt strings and it works fine 
It was for username and pw. If I had more variables I would’ve encrypted the whole variables file.