Ansible Vault: Encrypt & Decrypt Secrets — Complete Guide (2026)
By Luca Berton · Published 2024-01-01 · Category: troubleshooting
Complete guide to Ansible Vault. Encrypt files, strings, and variables. Decrypt playbooks at runtime. Manage vault passwords, multiple vault IDs, and secrets in CI/CD. Practical examples.
Ansible Vault: Encrypt & Decrypt Secrets — Complete Guide (2026)
Ansible Vault encrypts sensitive data — passwords, API keys, certificates, and secret variables — so you can safely store them in version control alongside your playbooks. This guide covers every vault operation with practical examples.
Quick Start
Encrypt a File
Encrypted file contents:
Encrypt a String (Inline Variables)
Encrypt individual variables instead of entire files:
Output:
Paste this directly into your variables file:
Decrypt
Run Playbooks with Vault
Interactive Password Prompt
Password File
In ansible.cfg (No Flag Needed)
Environment Variable
Script as Password Source
Rekey (Change Password)
Multiple Vault IDs
Use different passwords for different environments:
Encrypt string with vault ID
Best Practices
1. Keep Vault Files Separate
2. Prefix Vault Variables
Use vault_ prefix for encrypted variables to clearly identify their source:
3. Never Commit Password Files
4. Use no_log for Sensitive Tasks
Vault in CI/CD
GitHub Actions
GitLab CI
Jenkins
Common Operations Reference
| Command | Purpose | |---------|---------| | ansible-vault create file.yml | Create new encrypted file | | ansible-vault encrypt file.yml | Encrypt existing file | | ansible-vault decrypt file.yml | Permanently decrypt file | | ansible-vault view file.yml | View without decrypting | | ansible-vault edit file.yml | Edit in place | | ansible-vault rekey file.yml | Change password | | ansible-vault encrypt_string 'text' | Encrypt inline string |
FAQ
What is Ansible Vault?
Ansible Vault is a built-in feature that encrypts sensitive data (passwords, keys, certificates) using AES-256 encryption. It lets you store secrets in version control safely and decrypt them at runtime when executing playbooks.
How do I encrypt a password in Ansible?
Use ansible-vault encrypt_string 'MyPassword' --name 'variable_name' to encrypt a single value. Paste the output into your vars file. Or encrypt an entire file with ansible-vault encrypt secrets.yml.
Can I encrypt individual variables instead of whole files?
Yes. Use ansible-vault encrypt_string to encrypt single values. The encrypted string uses the !vault YAML tag and can be placed in any regular (unencrypted) YAML file alongside plaintext variables.
How do I use Ansible Vault in CI/CD?
Store the vault password as a CI/CD secret (GitHub Secrets, GitLab CI variable, etc.). Write it to a temporary file at runtime, pass it with --vault-password-file, and delete it after the playbook runs.
What encryption does Ansible Vault use?
Ansible Vault uses AES-256 (symmetric encryption) with PBKDF2 key derivation. The password you provide is used to derive the encryption key. It's strong enough for production secrets.
Can I have different vault passwords for different environments?
Yes. Use vault IDs: --vault-id prod@password_file and --vault-id dev@password_file. Each encrypted file or string is tagged with its vault ID, and Ansible uses the correct password automatically.
Conclusion
Ansible Vault is essential for managing secrets in automation. Encrypt sensitive files and variables with AES-256, use password files for automation, prefix vault variables with vault_, and keep encrypted and unencrypted vars in separate files for maintainability.
Related Articles • Ansible Vault decrypt: Decrypt Files & Variables • Ansible Security Best Practices • Ansible Variables: Complete Guide
Category: troubleshooting