Here is a very detailed and comprehensive tutorial on using Ansible Vault with practical, real-world examples for each subcommand.

Ansible Vault Tutorial

Ansible Vault is a powerful feature that allows you to encrypt sensitive data—such as passwords, keys, and secrets—within your Ansible projects. It’s especially important for keeping secrets out of version control and enabling safe collaboration on automation projects.

Why Use Ansible Vault?

• Security: Keeps secrets safe in your playbooks, variable files, and inventory.
• Collaboration: Share code without exposing sensitive information.
• Flexibility: Encrypt only the files or strings you need.

Vault Passwords

By default, Vault asks you for a password interactively, but you can also use --vault-password-file for automation.

Main Ansible Vault Subcommands and Usage Examples

Below, each subcommand is described with an example.

1. Create – Create a new encrypted file

Command:

ansible-vault create secrets.yml
Code language: CSS (css)

What it does:
Creates a new file, opens it in your $EDITOR (e.g., vim/nano), and saves it encrypted.

Example Workflow:

ansible-vault create secrets.yml
Code language: CSS (css)

• You will be prompted for a new vault password.
• The editor opens. Enter your secret variables: db_user: admin db_password: SuperSecret123
• Save and exit. Now secrets.yml is fully encrypted.

2. Encrypt – Encrypt an existing file

Command:

ansible-vault encrypt group_vars/all.yml

What it does:
Encrypts an existing plaintext file.

Example Workflow:

ansible-vault encrypt group_vars/all.yml

• You’ll be prompted for a password.
• The file is encrypted and can no longer be read as plain text.

3. Decrypt – Decrypt an encrypted file

Command:

ansible-vault decrypt secrets.yml
Code language: CSS (css)

What it does:
Decrypts a file, turning it back into readable plain text.

Example Workflow:

ansible-vault decrypt secrets.yml
Code language: CSS (css)

• Enter the vault password.
• secrets.yml is now unencrypted and can be viewed/edited by anyone.

4. Edit – Edit an encrypted file (without manual decrypt/re-encrypt)

Command:

ansible-vault edit secrets.yml
Code language: CSS (css)

What it does:
Decrypts the file in-memory for editing, then automatically re-encrypts it when you save and close the editor.

Example Workflow:

ansible-vault edit secrets.yml
Code language: CSS (css)

• Enter your vault password.
• File opens in your editor. Make your changes: db_password: EvenBetterSecret456
• Save and exit; file is re-encrypted.

5. View – View the contents of an encrypted file (read-only)

Command:

ansible-vault view secrets.yml
Code language: CSS (css)

What it does:
Allows you to read (but not edit) the contents of the encrypted file after entering the vault password.

Example Workflow:

ansible-vault view secrets.yml
Code language: CSS (css)

• Enter password.
• The contents are displayed in your terminal.

6. Encrypt_string – Encrypt a string to use in playbooks or variable files

Command:

ansible-vault encrypt_string 'MySecretValue' --name 'api_key'
Code language: JavaScript (javascript)

What it does:
Encrypts a single string and prints the encrypted value, suitable for inline use in YAML files.

Example Workflow:

ansible-vault encrypt_string 'MySecretValue' --name 'api_key'
Code language: JavaScript (javascript)

• Output: api_key: !vault | $ANSIBLE_VAULT;1.1;AES256 6634663264633862653737363339383739616632663837623233633637356536 6632626164656236373861303962646531346535613936390a64346664616435 ...
• Copy-paste this directly into your vars file or playbook.

7. Rekey – Change the password of an encrypted file

Command:

ansible-vault rekey secrets.yml
Code language: CSS (css)

What it does:
Changes the vault password on one or more encrypted files.

Example Workflow:

ansible-vault rekey secrets.yml
Code language: CSS (css)

• Enter current password.
• Enter new password.
• File is re-encrypted with the new password.

Vault Password Handling

• To avoid manual prompts, use: ansible-playbook site.yml --ask-vault-pass # or ansible-playbook site.yml --vault-password-file ~/.vault_pass.txt (Be sure to secure ~/.vault_pass.txt with proper file permissions!)

Using Encrypted Files in Playbooks

Ansible automatically decrypts vault files if you provide the password:

# In your playbook:
- hosts: all
  vars_files:
    - secrets.yml
  tasks:
    - debug:
        msg: "The DB password is {{ db_password }}"
Code language: PHP (php)

Run with:

ansible-playbook playbook.yml --ask-vault-pass
Code language: CSS (css)

Summary Table: Ansible-vault Commands

Best Practices

• Only encrypt what’s sensitive (not all files).
• Keep vault passwords secure—don’t commit them to version control.
• Rotate passwords regularly using the rekey command.
• Audit encrypted files so you know what’s protected.

Extra: Vault IDs for Multiple Passwords (Advanced)

You can use Vault IDs to encrypt different files with different passwords (e.g., one for dev, one for prod).

Encrypt with a vault ID:

ansible-vault encrypt --vault-id dev@prompt dev-secrets.yml
ansible-vault encrypt --vault-id prod@prompt prod-secrets.yml
Code language: CSS (css)

And use both in a playbook:

ansible-playbook site.yml --vault-id dev@prompt --vault-id prod@prompt
Code language: CSS (css)

References

• Ansible Vault Documentation

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Rajesh Kumar DailyLogs