titoshadow/ansible-vault
Composer 安装命令:
composer require titoshadow/ansible-vault
包简介
A PHP wrapper for the ansible-vault command.
README 文档
README
A pragmatic, secure wrapper around ansible-vault for encrypting/decrypting strings and files, editing vaults, and re-keying from PHP. Tailored for host-centric workflows like storing SSH passwords that Ansible uses to connect to remote hosts.
Requirements
- PHP 8.3 or later
- Ansible 2.10+ (
ansible-vaultavailable on the system)
Binary resolution and availability check
The wrapper locates ansible-vault and validates availability with --version.
Resolution order:
- Constructor argument
binary - Environment variable
ANSIBLE_VAULT_BIN - Fallback to
ansible-vaultin PATH
Installation
Ensure Ansible is installed and configured correctly before using this library.
You can install this library via Composer:
composer require titoshadow/ansible-vault
Usage
Include the library in your PHP code:
use Titoshadow\AnsibleVault\AnsibleVault; ... // Default (uses PATH) $vault = new AnsibleVault(); // Custom binary path $vault = new AnsibleVault(binary: '/usr/local/bin/ansible-vault'); // Or via environment putenv('ANSIBLE_VAULT_BIN=/opt/ansible/ansible-vault'); $vault = new AnsibleVault(); // Create an instance of the library $vault = new AnsibleVault('/path/to/vault-password-file');
Security model and password handling
- Avoid plaintext passwords on the command line. This wrapper:
- Writes provided password strings to secure temp files (0600 on POSIX) and passes
--vault-password-file. - Supports user-provided password file paths as-is.
- Writes provided password strings to secure temp files (0600 on POSIX) and passes
- Errors scrub secrets in both
--flag valueand--flag=valueforms (covers--vault-password,--vault-password-file,--password,-p, etc.).
Command execution settings
All commands run via a lightweight executor that supports:
- Default timeout (60s) and default working directory (null)
- Per-call override for timeout and cwd (used internally)
- TTY for interactive edit sessions
Configure defaults when needed:
use Titoshadow\AnsibleVault\CommandExecutor; use Titoshadow\AnsibleVault\AnsibleVault; $executor = new CommandExecutor(defaultTimeout: 120.0, defaultCwd: '/srv/project'); $vault = new AnsibleVault(executor: $executor);
Core methods
Encrypt a String (stdin-name control):
// stdin-name defaults to "secret" $encrypted = $vault->encryptString('Sensitive data', password: 'vault_pwd'); // Custom name to make output variable-friendly $encrypted = $vault->encryptString('Sensitive data', password: 'vault_pwd', stdinName: 'my_secret');
Decrypt a String
$decryptedString = $vault->decryptString($encrypted, password: 'vault_pwd');
Encrypt a File
vault->encrypt('/path/plain.txt', password: 'vault_pwd'); // or with an existing password filevault->encrypt('/path/plain.txt', vaultPasswordFile: '/path/vault.pass');
Decrypt a File
$vault->decrypt('/path/secret.txt', password: 'vault_pwd')
Create a Vault
$vault->create('/path/vault.yml', password: 'vault_pwd', encrypted: true);
Edit a Vault
$vault->edit('/path/vault.yml', password: 'vault_pwd');
Rekey a Vault
$vault->rekey('/path/vault.yml', oldPassword: 'old', newPassword: 'new')
Remove a Vault
$vault->remove('/path/vault.yml');
Host-centric SSH helpers
Encrypt an SSH password to the conventional variable ansible_ssh_pass (in-memory):
use Titoshadow\AnsibleVault\CommandExecutor; use Titoshadow\AnsibleVault\Encrypter; $encrypter = new Encrypter(new CommandExecutor()); $encrypted = encrypter->encryptSshPasswordVar('ssh_password', password: 'vault_pwd'); //encrypted starts with "$ANSIBLE_VAULT;"
Encrypt and write the SSH secret to a file (directories are created if missing):
Exceptions and error handling
On failures, a sanitized exception is thrown:
- VaultCliUsageException — typically exit code 2 (CLI misuse, invalid flags)
- VaultAuthException — typically exit code 4 (authentication/decryption issues)
- VaultExecutionException — default/fallback with masked secrets
use Titoshadow\AnsibleVault\Exception\VaultAuthException; use Titoshadow\AnsibleVault\Exception\VaultCliUsageException; use Titoshadow\AnsibleVault\Exception\VaultExecutionException; try { $vault->decrypt('/path/secret.txt', password: 'wrong'); } catch (VaultAuthExceptione) { // wrong password } catch (VaultCliUsageException e) { // invalid CLI usage } catch (VaultExecutionExceptione) { // generic error (message is sanitized) }
titoshadow/ansible-vault 适用场景与选型建议
titoshadow/ansible-vault 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1.08k 次下载、GitHub Stars 达 1, 最近一次更新时间为 2025 年 01 月 20 日, 在 PHP 生态内属于活跃度较高的组件。
我们在过去多个企业项目中使用过 titoshadow/ansible-vault 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 titoshadow/ansible-vault 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
统计信息
- 总下载量: 1.08k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 1
- 点击次数: 15
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2025-01-20