Skip to content

Commit

Permalink
Update ansible-vault manpage to describe new encrypt/decrypt behaviour
Browse files Browse the repository at this point in the history
  • Loading branch information
amenonsen committed Aug 27, 2015
1 parent 090cfc9 commit 4afe1cf
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 9 deletions.
28 changes: 22 additions & 6 deletions docs/man/man1/ansible-vault.1
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
'\" t
.\" Title: ansible-vault
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 07/28/2015
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
.\" Date: 08/27/2015
.\" Manual: System administration commands
.\" Source: Ansible 2.0.0
.\" Language: English
.\"
.TH "ANSIBLE\-VAULT" "1" "07/28/2015" "Ansible 2\&.0\&.0" "System administration commands"
.TH "ANSIBLE\-VAULT" "1" "08/27/2015" "Ansible 2\&.0\&.0" "System administration commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
Expand Down Expand Up @@ -80,19 +80,35 @@ The \fBedit\fR sub\-command is used to modify a file which was previously encryp
This command will decrypt the file to a temporary file and allow you to edit the file, saving it back when done and removing the temporary file\&.
.SH "REKEY"
.sp
*$ ansible\-vault rekey [options] FILE_1 [FILE_2, \&..., FILE_N]
\fB$ ansible\-vault rekey [options] FILE_1 [FILE_2, \&..., FILE_N]\fR
.sp
The \fBrekey\fR command is used to change the password on a vault\-encrypted files\&. This command can update multiple files at once, and will prompt for both the old and new passwords before modifying any data\&.
.SH "ENCRYPT"
.sp
*$ ansible\-vault encrypt [options] FILE_1 [FILE_2, \&..., FILE_N]
\fB$ ansible\-vault encrypt [options] FILE_1 [FILE_2, \&..., FILE_N]\fR
.sp
The \fBencrypt\fR sub\-command is used to encrypt pre\-existing data files\&. As with the \fBrekey\fR command, you can specify multiple files in one command\&.
.sp
Starting with version 2\&.0, the \fBencrypt\fR command accepts an \fB\-\-output FILENAME\fR option to determine where encrypted output is stored\&. With this option, input is read from the (at most one) filename given on the command line; if no input file is given, input is read from stdin\&. Either the input or the output file may be given as \fI\-\fR for stdin and stdout respectively\&. If neither input nor output file is given, the command acts as a filter, reading plaintext from stdin and writing it to stdout\&.
.sp
Thus any of the following invocations can be used:
.sp
\fB$ ansible\-vault encrypt\fR
.sp
\fB$ ansible\-vault encrypt \-\-output OUTFILE\fR
.sp
\fB$ ansible\-vault encrypt INFILE \-\-output OUTFILE\fR
.sp
\fB$ echo secret|ansible\-vault encrypt \-\-output OUTFILE\fR
.sp
Reading from stdin and writing only encrypted output is a good way to prevent sensitive data from ever hitting disk (either interactively or from a script)\&.
.SH "DECRYPT"
.sp
*$ ansible\-vault decrypt [options] FILE_1 [FILE_2, \&..., FILE_N]
\fB$ ansible\-vault decrypt [options] FILE_1 [FILE_2, \&..., FILE_N]\fR
.sp
The \fBdecrypt\fR sub\-command is used to remove all encryption from data files\&. The files will be stored as plain\-text YAML once again, so be sure that you do not run this command on data files with active passwords or other sensitive data\&. In most cases, users will want to use the \fBedit\fR sub\-command to modify the files securely\&.
.sp
As with \fBencrypt\fR, the \fBdecrypt\fR subcommand also accepts the \fB\-\-output FILENAME\fR option to specify where plaintext output is stored, and stdin/stdout is handled as described above\&.
.SH "AUTHOR"
.sp
Ansible was originally written by Michael DeHaan\&. See the AUTHORS file for a complete list of contributors\&.
Expand Down
30 changes: 27 additions & 3 deletions docs/man/man1/ansible-vault.1.asciidoc.in
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ file, saving it back when done and removing the temporary file.
REKEY
-----

*$ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]
*$ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]*

The *rekey* command is used to change the password on a vault-encrypted files.
This command can update multiple files at once, and will prompt for both the
Expand All @@ -93,21 +93,45 @@ old and new passwords before modifying any data.
ENCRYPT
-------

*$ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]
*$ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]*

The *encrypt* sub-command is used to encrypt pre-existing data files. As with the
*rekey* command, you can specify multiple files in one command.

Starting with version 2.0, the *encrypt* command accepts an *--output FILENAME*
option to determine where encrypted output is stored. With this option, input is
read from the (at most one) filename given on the command line; if no input file
is given, input is read from stdin. Either the input or the output file may be
given as '-' for stdin and stdout respectively. If neither input nor output file
is given, the command acts as a filter, reading plaintext from stdin and writing
it to stdout.

Thus any of the following invocations can be used:

*$ ansible-vault encrypt*

*$ ansible-vault encrypt --output OUTFILE*

*$ ansible-vault encrypt INFILE --output OUTFILE*

*$ echo secret|ansible-vault encrypt --output OUTFILE*

Reading from stdin and writing only encrypted output is a good way to prevent
sensitive data from ever hitting disk (either interactively or from a script).

DECRYPT
-------

*$ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]
*$ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]*

The *decrypt* sub-command is used to remove all encryption from data files. The files
will be stored as plain-text YAML once again, so be sure that you do not run this
command on data files with active passwords or other sensitive data. In most cases,
users will want to use the *edit* sub-command to modify the files securely.

As with *encrypt*, the *decrypt* subcommand also accepts the *--output FILENAME*
option to specify where plaintext output is stored, and stdin/stdout is handled
as described above.

AUTHOR
------
Expand Down

0 comments on commit 4afe1cf

Please sign in to comment.