Use cases of Ansible Vault

We all know, in general ‘vault’ means a compartment or room for safekeeping of valuables.

Like that in ansible we are using a command line tool called ‘ansible-vault’ to safely keep the variables or passwords or files in an encrypted format. So it is an encrypted store.

It uses Advanced Encryption Standard AES-256 with a password as the secret key.

Usage help for ansible-vault:

To know how to use the ‘ansible-vault’, type the below command.

[root@centos7 ~]# ansible-vault –help
Usage: ansible-vault [create|decrypt|edit|encrypt|encrypt_string|rekey|view] [options] [vaultfile.yml]

encryption/decryption utility for Ansible data files

–ask-vault-pass ask for vault password
-h, –help show this help message and exit
the new vault identity to use for rekey
new vault password file for rekey
–vault-id=VAULT_IDS the vault identity to use
vault password file
-v, –verbose verbose mode (-vvv for more, -vvvv to enable
connection debugging)
–version show program’s version number and exit

See ‘ansible-vault <command> –help’ for more information on a specific
[root@centos7 ~]#

Lets see the various use cases of anisble-vault as below,

1) To encrypt a file via ansible-vault:

# ansible-vault create <filename>

Lets create an inventory file named ‘staticinventory.txt’ with below contents under ‘/root/inventory’ directory,


[root@centos7 inventory]# ansible-vault create staticinventory.txt
New Vault password:
Confirm New Vault password:

After entering the password, it will open a file in ‘vi’ editor with insert mode. We can type the contents and save it.

Now encrypted ‘staticinventory.txt’ file has been created.

2)To read an already encrypted file via ansible-vault:

In the previous step we have encrypted a file, now try to read with normal ‘cat’ command and see,

[root@centos7 inventory]# pwd
[root@centos7 inventory]# ls
[root@centos7 inventory]# cat staticinventory.txt
[root@centos7 inventory]#

Lets view it using ansible-vault

[root@centos7 inventory]# ansible-vault view staticinventory.txt
Vault password:
[root@centos7 inventory]#

3) To write ie. edting an already encrypted file via ansible-vault:

# ansible-vault edit <filename>

[root@centos7 inventory]# ansible-vault edit staticinventory.txt
Vault password:

Please enter the password and proceed to make changes in the file.

4)To change the password of an already encrypted file

#ansible-vault rekey <filename>

[root@centos7 inventory]# ansible-vault rekey staticinventory.txt
Vault password:
New Vault password:
Confirm New Vault password:
Rekey successful
[root@centos7 inventory]#

5) To decrypt an existing file via ansible-vault:

#ansible-vault decrypt <filename>

[root@centos7 inventory]# ansible-vault decrypt staticinventory.txt
Vault password:
Decryption successful
[root@centos7 inventory]#

Now existing encrypted file ‘staticinventory.txt’ has been decrypted with above command. Now we can use that file without ansible-vault as below,

[root@centos7 inventory]# cat staticinventory.txt
[root@centos7 inventory]#

In this article we have seen 5 different use ceases of ansible-vault.