Ansible Vault: Encrypt, Decrypt & Manage Secrets (Complete Guide) — Video Tutorial

How to decrypt an Ansible Vault? From an encrypted file to plaintext using the correct password. I will show you a live Playbook with some simple Ansible code. I'm Luca Berton, and welcome to today's episode of Ansible Pilot. ansible-vault - Included in Ansible installation - Ansible Vault - command line The `ansible-vault` command is included in every Ansible installation for the most modern operating system. It is a command line tool so interact with that using your terminal. Using the `ansible-vault` command, you could perform any Ansible vault operation: encryption, decryption, change of password, etc. Links - https://docs.ansible.com/ansible/latest/user_guide/vault.html Playbook I will show you how to decrypt an Ansible Vault using the ansible-vault command line utility. At the beginning of this example, we start with an encrypted Ansible vault, and once we enter the correct password, we obtain a cleartext file. execution ```bash $ ansible-vault decrypt encrypted-to-plain.yml Vault password: Decryption successful ``` before execution ```bash $ cat encrypted-to-plain.yml $ANSIBLE_VAULT;1.1;AES256 65333637643363376438633838346563353666636433613032333663666137613839333564393238 3930333031633134346461303636623937353561643464390a363534383938396336346130653231 34356437363733313638336437343735366362343031663866326135633538373237646537356638 6163373837343332660a323666666534353561656464353033613137333463316534663062643561 34373865636163626163313235393239653539356665373361373939633138373137643264386533 3761646565643732396531313561366364353031373731353839 ``` after execution ```bash $ cat encrypted-to-plain.yml --- password: mysupersecretpassword ``` Conclusion Now you know how to decrypt an Ansible Vault. Ansible Vault Overview Ansible Vault provides encryption for sensitive data like passwords, API keys, and certificates. It uses **AES-256** encryption, which is the same standard used by banks and governments. When to Use Vault - Storing database passwords in `group_vars/` - Encrypting SSH private keys - Protecting API tokens and secrets - Securing cloud credentials (AWS, Azure, GCP) Decrypt Methods Method 1: Decrypt entire file ```bash Interactive password prompt ansible-vault decrypt secrets.yml Using a password file ansible-vault decrypt secrets.yml --vault-password-file=.vault_pass Using vault ID (Ansible 2.4+) ansible-vault decrypt secrets.yml --vault-id prod@.vault_pass ``` Method 2: View without decrypting ```bash View contents without modifying the file ansible-vault view secrets.yml Pipe to other commands ansible-vault view secrets.yml | grep database_password ``` Method 3: Decrypt inline during playbook run ```bash Ansible automatically decrypts vault files during execution ansible-playbook playbook.yml --ask-vault-pass Using password file (for CI/CD) ansible-playbook playbook.yml --vault-password-file=.vault_pass ``` Method 4: Decrypt single variables If you encrypted a single variable with `ansible