Introduction To Ansible Vault

Reading Time: 2 minutes

Hi readers, in this blog we will be discussing Ansible vault. Also, we will be looking at how to encrypt different playbooks and how they can be decrypted.


The “Vault” is a feature of Ansible that allows you to keep sensitive data such as passwords or keys protected at rest, rather than as plain text in playbooks or roles. 

Why use Ansible Vault?

Ansible is used for automation, the playbooks contain certain credentials, SSL certificates ,or other sensitive data. Usually, we store our sensitive data in the variable of vault.

How Ansible Vault help us?

It helps us to encrypt or decrypt sensitive variables that contain information and there are 2 ways to take care of sensitive data :

1) encrypt variables and embed them into the playbook.

2) encrypt the entire playbook.

Creating an Encrypted File

To create an encrypted file, use the ansible-vault to create command ,and enter the filename.

When prompted, create a password and then confirm it by re-typing it. 

$ ansible-vault create example.yml 
New Vault password: 
Confirm New Vault password: 

After confirming our password, a new file is created and will open an editing window. By default, the editor for Vault is vi. Also, we can add data, save ,and exit. 

we can see out newly created file

$ cat example.yml 

Encrypting Unencrypted Files

Suppose we have a file which we wish to encrypt, we can use the ansible-vault encrypt command.

$ ansible-vault encrypt oldfile.yml
New Vault password: 
Confirm New Vault password: 

Then, you will be prompted to insert and confirm the password after then your file is encrypted.

Editing Encrypted Files

If we want to edit our encrypted file, we can edit it using ansible-vault edit command.

$ ansible-vault edit example.yml 
Vault password:

Viewing Encrypted File

If we want to view our encrypted file, we can use the ansible-vault view command.

 ansible-vault view example.yml
Vault password: 
- name: mukesh
  hosts: WORKSPACE
    - name: copying a file.
        src: /home/knoldus/example.yml
        dest: /home/

Rekeying Vault Password

Also, we can change the vault password for which we can use the ansible-vault rekey command.


We will be prompted with the vault’s current password and then we will add a new password and finally confirming the new password.

Decrypting Encrypted Files

If we want to decrypt an encrypted file, we can use ansible-vault decrypt command. Then, we will be prompted to insert the vault password.

$ ansible-vault decrypt example.yaml 
Vault password: 
Decryption successful

Decrypting Encrypted Files During Runtime

We could use –ask-vault-pass flag to decrypt a file during runtime.

$ ansible-playbook launch.yml --ask-vault-pass

This will decrypt your encrypted files that are encrypted with the same password to execute.


We usually have some configuration data which is by definition sensitive and should not be publicly exposed. Also, We demonstrated how Ansible Vault can encrypt confidential information such that you can keep all of our configuration data in one place without compromising security.


Written by 

I always love to learn and explore new technologies. Having working skills in Linux, AWS, DevOps tools Jenkins, Git, Maven, CI-CD, Ansible, Scripting language (shell/bash), Docker as well as ELK stack and Grafana for implementing logging and visualization technology.