AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible Vault: Encrypt Secrets & Manage Credentials (2026 Guide)

By Luca Berton · Published 2024-01-01 · Category: troubleshooting

Complete guide to Ansible Vault. Encrypt files and strings, manage vault passwords, use multiple vault IDs, and integrate with CI/CD and AWX/AAP.

Ansible Vault: Encrypt Secrets & Manage Credentials (2026 Guide)

What Is Ansible Vault?

Ansible Vault is a built-in feature that encrypts sensitive data like passwords, API keys, and certificates. It uses AES-256 symmetric encryption to protect secrets within your Ansible projects.

See also: Ansible Vault: Encrypt Secrets & Manage Encrypted Variables (Complete Guide)

Why Use Ansible Vault?

Without Vault, secrets in playbooks and variable files are stored in plain text — a security risk especially in version control. Vault lets you:

  • Encrypt entire files (vars, inventory)
  • Encrypt individual strings (inline secrets)
  • Share playbooks safely in Git
  • Rotate encryption passwords easily

Core Commands

Create an Encrypted File

# Interactive editor
ansible-vault create secrets.yml

# You'll be prompted for a vault password
# Then an editor opens to write your secrets:
# db_password: SuperSecret123
# api_key: abc-def-ghi-jkl

Encrypt an Existing File

ansible-vault encrypt vars/production.yml

# Encrypt multiple files
ansible-vault encrypt vars/*.yml

Decrypt a File

# Decrypt permanently (removes encryption)
ansible-vault decrypt secrets.yml

# View without decrypting
ansible-vault view secrets.yml

Edit an Encrypted File

ansible-vault edit secrets.yml

Encrypt a Single String

# Encrypt a string for inline use
ansible-vault encrypt_string 'MySecretPassword' --name 'db_password'

# Output (paste into your vars file):
db_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  61626364656667686970...

Rekey (Change Password)

ansible-vault rekey secrets.yml
# Enter old password, then new password

Using Vault with Playbooks

Method 1: Ask for Password

ansible-playbook site.yml --ask-vault-pass

Method 2: Password File

# Create password file
echo 'MyVaultPassword' > ~/.vault_pass
chmod 600 ~/.vault_pass

# Use it
ansible-playbook site.yml --vault-password-file ~/.vault_pass

Method 3: ansible.cfg

# ansible.cfg
[defaults]
vault_password_file = ~/.vault_pass

Method 4: Environment Variable

export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass
ansible-playbook site.yml

See also: Ansible Vault: Encrypt & Decrypt Secrets — Complete Guide (2026)

Practical Examples

Example 1: Encrypted Variables File

# Create encrypted vars
ansible-vault create group_vars/production/vault.yml
# Contents of vault.yml (encrypted at rest)
vault_db_password: "ProductionDBPass123"
vault_api_key: "sk-abc123def456"
vault_ssl_private_key: |
  -----BEGIN PRIVATE KEY-----
  MIIEvgIBADANBg...
  -----END PRIVATE KEY-----
# group_vars/production/vars.yml (unencrypted, references vault vars)
db_password: "{{ vault_db_password }}"
api_key: "{{ vault_api_key }}"

Example 2: Inline Encrypted String

# vars/main.yml
db_host: db.example.com
db_port: 5432
db_user: myapp
db_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  3566313438363...

Example 3: Encrypted Inventory

ansible-vault encrypt inventory/production.yml
ansible-playbook -i inventory/production.yml site.yml --ask-vault-pass

Multiple Vault Passwords

For different encryption per environment:

# Encrypt with vault ID
ansible-vault encrypt --vault-id prod@prompt secrets-prod.yml
ansible-vault encrypt --vault-id dev@~/.dev_pass secrets-dev.yml

# Run with multiple vault IDs
ansible-playbook site.yml \
  --vault-id prod@prompt \
  --vault-id dev@~/.dev_pass

See also: Ansible Vault Error: Fix 'Attempting to Decrypt but No Vault Secrets Found'

Best Practices

  1. Never commit vault passwords to Git — Use .gitignore for password files
  2. Use vault IDs for multi-environment setups
  3. Prefix vault variables with vault_ for clarity
  4. Separate vault files from regular vars — keeps diffs readable
  5. Use a password manager or CI/CD secret store for vault passwords
  6. Rotate vault passwords periodically with rekey
  7. Don't encrypt everything — Only sensitive values need encryption

Vault vs External Secret Managers

FeatureAnsible VaultHashiCorp VaultAWS Secrets Manager
CostFreeFree/EnterprisePay per secret
IntegrationBuilt-inLookup pluginLookup plugin
Dynamic secretsNoYesYes (rotation)
Audit loggingNoYesYes
Access controlPassword-basedPolicy-basedIAM-based
Best forSmall teamsLarge teamsAWS-native
For enterprise needs, combine Ansible Vault with an external secret manager using lookup plugins.

Troubleshooting

"Attempting to decrypt but no vault secrets found"

You forgot to provide the vault password: 
ansible-playbook site.yml --ask-vault-pass

"Decryption failed"

Wrong vault password. Try ansible-vault view file.yml to test.

"input is not vault encrypted data"

The file header $ANSIBLE_VAULT;1.1;AES256 is missing or corrupted.

FAQ

Can I use Ansible Vault in CI/CD?

Yes. Store the vault password as a CI/CD secret (GitHub Actions secret, GitLab CI variable) and pass it via --vault-password-file.

Is Ansible Vault secure enough for production?

Ansible Vault uses AES-256, which is strong encryption. The security depends on how you manage the vault password. For enterprise environments, consider pairing with external secret managers.

Can I encrypt an entire playbook?

Yes, but it makes debugging harder. Better to encrypt only the variable files containing secrets.

How do I decrypt all files in a directory?

ansible-vault decrypt vars/*.yml

Conclusion

Ansible Vault is the simplest way to manage secrets in your Ansible automation. Start with basic file encryption, then adopt inline strings and vault IDs as your needs grow.

For more security tutorials, visit AnsiblePilot.

Encrypt a File

ansible-vault encrypt secrets.yml
ansible-vault encrypt --vault-id prod@prompt secrets.yml

Create Encrypted File

ansible-vault create secrets.yml
# Opens editor, encrypts on save

View / Edit / Decrypt

ansible-vault view secrets.yml
ansible-vault edit secrets.yml
ansible-vault decrypt secrets.yml

Encrypt Single Variable

ansible-vault encrypt_string 'SuperSecret123' --name 'db_password'
# Use in playbook
db_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  61623661...

Run Playbook with Vault

ansible-playbook site.yml --ask-vault-pass
ansible-playbook site.yml --vault-password-file ~/.vault_pass
ansible-playbook site.yml --vault-id prod@~/.vault_prod

Multiple Vault IDs

# Encrypt with named vault
ansible-vault encrypt --vault-id dev@prompt dev-secrets.yml
ansible-vault encrypt --vault-id prod@~/.vault_prod prod-secrets.yml

# Use multiple vaults
ansible-playbook site.yml \
  --vault-id dev@~/.vault_dev \
  --vault-id prod@~/.vault_prod

Best Practice: Split Variables

# group_vars/production/vault.yml (ENCRYPTED)
vault_db_password: SuperSecret123
vault_api_key: abc123xyz789

# group_vars/production/vars.yml (plain, references vault)
db_password: "{{ vault_db_password }}"
api_key: "{{ vault_api_key }}"

Rekey (Change Password)

ansible-vault rekey secrets.yml
ansible-vault rekey --vault-id prod@old_pass --new-vault-id prod@new_pass secrets.yml

Password File

echo 'my-vault-password' > ~/.vault_pass
chmod 600 ~/.vault_pass
# ansible.cfg
[defaults]
vault_password_file = ~/.vault_pass

Password Script

#!/usr/bin/env python3
# vault-pass.py — fetch from password manager
import subprocess
result = subprocess.run(['pass', 'ansible/vault'], capture_output=True, text=True)
print(result.stdout.strip())
chmod +x vault-pass.py
ansible-playbook site.yml --vault-password-file ./vault-pass.py

CI/CD Integration

# GitHub Actions
- name: Create vault password
  run: echo "${{ secrets.VAULT_PASSWORD }}" > .vault_pass
- name: Run playbook
  run: ansible-playbook site.yml --vault-password-file .vault_pass
- name: Cleanup
  run: rm -f .vault_pass
  if: always()

Vault Commands Reference

CommandDescription
createCreate new encrypted file
encryptEncrypt existing file
decryptRemove encryption
viewView contents (read-only)
editEdit in place
rekeyChange password
encrypt_stringEncrypt single value

FAQ

Can I recover a forgotten vault password?

No — AES-256 encryption has no backdoor. Store your vault password securely (password manager, secrets service).

Performance impact?

Minimal — decryption happens once at playbook load. No runtime performance impact.

Vault vs external secrets (HashiCorp Vault, AWS Secrets Manager)?

Ansible Vault is file-based and simple. External secrets managers offer rotation, auditing, and centralized management. Many teams use both.

Encrypt a File

ansible-vault encrypt group_vars/production/secrets.yml

Encrypt a String

ansible-vault encrypt_string 'db_password_123' --name 'vault_db_password'

View Encrypted File

ansible-vault view secrets.yml

Edit Encrypted File

ansible-vault edit secrets.yml

Decrypt a File

ansible-vault decrypt secrets.yml

Run Playbook with Vault

# Prompt for password
ansible-playbook site.yml --ask-vault-pass

# Password file
ansible-playbook site.yml --vault-password-file ~/.vault_pass

# Environment variable
export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass

Multiple Vault IDs

# Encrypt with specific ID
ansible-vault encrypt --vault-id prod@~/.vault_prod secrets-prod.yml
ansible-vault encrypt --vault-id dev@~/.vault_dev secrets-dev.yml

# Run with both
ansible-playbook site.yml \
  --vault-id dev@~/.vault_dev \
  --vault-id prod@~/.vault_prod

Best Practice: Variable Indirection

# group_vars/production/vault.yml (encrypted)
vault_db_password: "SuperSecret"
vault_api_key: "abc123"

# group_vars/production/main.yml (plain text, references vault)
db_password: "{{ vault_db_password }}"
api_key: "{{ vault_api_key }}"

Password from Script

#!/bin/bash
# get-vault-pass.sh
# Pull from password manager, AWS SSM, etc.
aws ssm get-parameter --name /ansible/vault-pass --with-decryption --query Parameter.Value --output text
chmod +x get-vault-pass.sh
ansible-playbook site.yml --vault-password-file get-vault-pass.sh

Re-Key (Change Password)

ansible-vault rekey secrets.yml
# Or with vault IDs
ansible-vault rekey --vault-id prod@prompt secrets-prod.yml --new-vault-id prod@~/.new_vault_pass

Vault in CI/CD

# GitHub Actions
- name: Run Ansible
  env:
    VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASS }}
  run: |
    echo "$VAULT_PASSWORD" > .vault_pass
    ansible-playbook site.yml --vault-password-file .vault_pass
    rm .vault_pass

FAQ

Can I use Vault with AWX/AAP?

Yes — create a "Vault" credential type in AWX and assign it to job templates. AWX handles decryption automatically.

AES-256 — how secure is it?

Very secure. The weak point is your vault password, not the encryption. Use strong passwords (20+ chars).

Can I encrypt binary files?

Yes — ansible-vault encrypt works on any file type. But it's mainly designed for YAML/text.

Category: troubleshooting

Browse all Ansible tutorials · AnsiblePilot Home