Ansible Vault: Encrypt Secrets & Manage Credentials (2026 Guide)

By Luca Berton · Published 2024-01-01 · Category: troubleshooting

Complete guide to Ansible Vault. Encrypt files and strings, manage vault passwords, use multiple vault IDs, and integrate with CI/CD and AWX/AAP.

What Is Ansible Vault?
Why Use Ansible Vault?
Core Commands
Using Vault with Playbooks
Practical Examples
Multiple Vault Passwords
Best Practices
Vault vs External Secret Managers
Troubleshooting
FAQ
Conclusion
Encrypt a File
Create Encrypted File
View / Edit / Decrypt
Encrypt Single Variable
Run Playbook with Vault
Multiple Vault IDs
Best Practice: Split Variables
Rekey (Change Password)
Password File
Password Script
CI/CD Integration
Vault Commands Reference
FAQ
Encrypt a File
Encrypt a String
View Encrypted File
Edit Encrypted File
Decrypt a File
Run Playbook with Vault
Multiple Vault IDs
Best Practice: Variable Indirection
Password from Script
Re-Key (Change Password)
Vault in CI/CD
FAQ
Related Articles

What Is Ansible Vault?

Ansible Vault is a built-in feature that encrypts sensitive data like passwords, API keys, and certificates. It uses AES-256 symmetric encryption to protect secrets within your Ansible projects.

Why Use Ansible Vault?

Without Vault, secrets in playbooks and variable files are stored in plain text — a security risk especially in version control. Vault lets you: • Encrypt entire files (vars, inventory) • Encrypt individual strings (inline secrets) • Share playbooks safely in Git • Rotate encryption passwords easily

Core Commands

Create an Encrypted File

Encrypt an Existing File

Decrypt a File

Edit an Encrypted File

Encrypt a Single String

Rekey (Change Password)

Using Vault with Playbooks

Method 1: Ask for Password

Method 2: Password File

Method 3: ansible.cfg

Method 4: Environment Variable

Practical Examples

Example 1: Encrypted Variables File

Example 2: Inline Encrypted String

Example 3: Encrypted Inventory

Multiple Vault Passwords

For different encryption per environment:

Best Practices Never commit vault passwords to Git — Use .gitignore for password files Use vault IDs for multi-environment setups Prefix vault variables with vault_ for clarity Separate vault files from regular vars — keeps diffs readable Use a password manager or CI/CD secret store for vault passwords Rotate vault passwords periodically with rekey Don't encrypt everything — Only sensitive values need encryption

Vault vs External Secret Managers

| Feature | Ansible Vault | HashiCorp Vault | AWS Secrets Manager | |---------|--------------|-----------------|---------------------| | Cost | Free | Free/Enterprise | Pay per secret | | Integration | Built-in | Lookup plugin | Lookup plugin | | Dynamic secrets | No | Yes | Yes (rotation) | | Audit logging | No | Yes | Yes | | Access control | Password-based | Policy-based | IAM-based | | Best for | Small teams | Large teams | AWS-native |

For enterprise needs, combine Ansible Vault with an external secret manager using lookup plugins.

Troubleshooting

"Attempting to decrypt but no vault secrets found" You forgot to provide the vault password:

"Decryption failed" Wrong vault password. Try ansible-vault view file.yml to test.

"input is not vault encrypted data" The file header $ANSIBLE_VAULT;1.1;AES256 is missing or corrupted.

FAQ

Can I use Ansible Vault in CI/CD? Yes. Store the vault password as a CI/CD secret (GitHub Actions secret, GitLab CI variable) and pass it via --vault-password-file.

Is Ansible Vault secure enough for production? Ansible Vault uses AES-256, which is strong encryption. The security depends on how you manage the vault password. For enterprise environments, consider pairing with external secret managers.

Can I encrypt an entire playbook? Yes, but it makes debugging harder. Better to encrypt only the variable files containing secrets.

How do I decrypt all files in a directory?

Conclusion

Ansible Vault is the simplest way to manage secrets in your Ansible automation. Start with basic file encryption, then adopt inline strings and vault IDs as your needs grow.

For more security tutorials, visit AnsiblePilot.

Encrypt a File

Create Encrypted File

View / Edit / Decrypt

Encrypt Single Variable

Run Playbook with Vault

Multiple Vault IDs

Best Practice: Split Variables

Rekey (Change Password)

Password File

Password Script

CI/CD Integration

Vault Commands Reference

| Command | Description | |---------|-------------| | create | Create new encrypted file | | encrypt | Encrypt existing file | | decrypt | Remove encryption | | view | View contents (read-only) | | edit | Edit in place | | rekey | Change password | | encrypt_string | Encrypt single value |

FAQ

Can I recover a forgotten vault password?

No — AES-256 encryption has no backdoor. Store your vault password securely (password manager, secrets service).

Performance impact?

Minimal — decryption happens once at playbook load. No runtime performance impact.

Vault vs external secrets (HashiCorp Vault, AWS Secrets Manager)?

Ansible Vault is file-based and simple. External secrets managers offer rotation, auditing, and centralized management. Many teams use both.

Encrypt a File

Encrypt a String

View Encrypted File

Edit Encrypted File

Decrypt a File

Run Playbook with Vault

Multiple Vault IDs

Best Practice: Variable Indirection

Password from Script

Re-Key (Change Password)

Vault in CI/CD

FAQ

Can I use Vault with AWX/AAP?

Yes — create a "Vault" credential type in AWX and assign it to job templates. AWX handles decryption automatically.

AES-256 — how secure is it?

Very secure. The weak point is your vault password, not the encryption. Use strong passwords (20+ chars).

Can I encrypt binary files?

Yes — ansible-vault encrypt works on any file type. But it's mainly designed for YAML/text.

Category: troubleshooting

Browse all Ansible tutorials · AnsiblePilot Home