Encrypting content with Ansible Vault

Once you have a strategy for managing and storing vault passwords, you can start encrypting content. You can encrypt two types of content with Ansible Vault: variables and files. Encrypted content always includes the !vault tag, which tells Ansible and YAML that the content needs to be decrypted, and a | character, which allows multi-line strings. Encrypted content created with --vault-id also contains the vault ID label. For more details about the encryption process and the format of content encrypted with Ansible Vault, see Format of files encrypted with Ansible Vault. This table shows the main differences between encrypted variables and encrypted files:

Encrypted variables

Encrypted files

How much is encrypted?

Variables within a plaintext file

The entire file

When is it decrypted?

On demand, only when needed

Whenever loaded or referenced 1

What can be encrypted?

Only variables

Any structured data file


Ansible cannot know if it needs content from an encrypted file unless it decrypts the file, so it decrypts all encrypted files referenced in your playbooks and roles.

Encrypting individual variables with Ansible Vault

You can encrypt single values inside a YAML file using the ansible-vault encrypt_string command. For one way to keep your vaulted variables safely visible, see Keep vaulted variables safely visible.

Advantages and disadvantages of encrypting variables

With variable-level encryption, your files are still easily legible. You can mix plaintext and encrypted variables, even inline in a play or role. However, password rotation is not as simple as with file-level encryption. You cannot rekey encrypted variables. Also, variable-level encryption only works on variables. If you want to encrypt tasks or other content, you must encrypt the entire file.

Creating encrypted variables

The ansible-vault encrypt_string command encrypts and formats any string you type (or copy or generate) into a format that can be included in a playbook, role, or variables file. To create a basic encrypted variable, pass three options to the ansible-vault encrypt_string command:

  • a source for the vault password (prompt, file, or script, with or without a vault ID)

  • the string to encrypt

  • the string name (the name of the variable)

The pattern looks like this:

ansible-vault encrypt_string <password_source> '<string_to_encrypt>' --name '<string_name_of_variable>'

For example, to encrypt the string ‘foobar’ using the only password stored in ‘a_password_file’ and name the variable ‘the_secret’:

ansible-vault encrypt_string --vault-password-file a_password_file 'foobar' --name 'the_secret'

The command above creates this content:

the_secret: !vault |

To encrypt the string ‘foooodev’, add the vault ID label ‘dev’ with the ‘dev’ vault password stored in ‘a_password_file’, and call the encrypted variable ‘the_dev_secret’:

ansible-vault encrypt_string --vault-id [email protected]_password_file 'foooodev' --name 'the_dev_secret'

The command above creates this content:

the_dev_secret: !vault |

To encrypt the string ‘letmein’ read from stdin, add the vault ID ‘dev’ using the ‘dev’ vault password stored in a_password_file, and name the variable ‘db_password’:

echo -n 'letmein' | ansible-vault encrypt_string --vault-id [email protected]_password_file --stdin-name 'db_password'


Typing secret content directly at the command line (without a prompt) leaves the secret string in your shell history. Do not do this outside of testing.

The command above creates this output:

Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a new line)
db_password: !vault |

To be prompted for a string to encrypt, encrypt it with the ‘dev’ vault password from ‘a_password_file’, name the variable ‘new_user_password’ and give it the vault ID label ‘dev’:

ansible-vault encrypt_string --vault-id [email protected]_password_file --stdin-name 'new_user_password'

The command above triggers this prompt:

Reading plaintext input from stdin. (ctrl-d to end input, twice if your content does not already have a new line)

Type the string to encrypt (for example, ‘hunter2’), hit ctrl-d, and wait.


Do not press Enter after supplying the string to encrypt. That will add a newline to the encrypted value.

The sequence above creates this output:

new_user_password: !vault |

You can add the output from any of the examples above to any playbook, variables file, or role for future use. Encrypted variables are larger than plain-text variables, but they protect your sensitive content while leaving the rest of the playbook, variables file, or role in plain text so you can easily read it.

Viewing encrypted variables

You can view the original value of an encrypted variable using the debug module. You must pass the password that was used to encrypt the variable. For example, if you stored the variable created by the last example above in a file called ‘vars.yml’, you could view the unencrypted value of that variable like this:

ansible localhost -m ansible.builtin.debug -a var="new_user_password" -e "@vars.yml" --vault-id [email protected]_password_file

localhost | SUCCESS => {
    "new_user_password": "hunter2"

Encrypting files with Ansible Vault

Ansible Vault can encrypt any structured data file used by Ansible, including:

  • group variables files from inventory

  • host variables files from inventory

  • variables files passed to ansible-playbook with -e @file.yml or -e @file.json

  • variables files loaded by include_vars or vars_files

  • variables files in roles

  • defaults files in roles

  • tasks files

  • handlers files

  • binary files or other arbitrary files

The full file is encrypted in the vault.


Ansible Vault uses an editor to create or modify encrypted files. See Steps to secure your editor for some guidance on securing the editor.

Advantages and disadvantages of encrypting files

File-level encryption is easy to use. Password rotation for encrypted files is straightforward with the rekey command. Encrypting files can hide not only sensitive values, but the names of the variables you use. However, with file-level encryption the contents of files are no longer easy to access and read. This may be a problem with encrypted tasks files. When encrypting a variables file, see Keep vaulted variables safely visible for one way to keep references to these variables in a non-encrypted file. Ansible always decrypts the entire encrypted file when it is when loaded or referenced, because Ansible cannot know if it needs the content unless it decrypts it.

Creating encrypted files

To create a new encrypted data file called ‘foo.yml’ with the ‘test’ vault password from ‘multi_password_file’:

ansible-vault create --vault-id [email protected]_password_file foo.yml

The tool launches an editor (whatever editor you have defined with $EDITOR, default editor is vi). Add the content. When you close the editor session, the file is saved as encrypted data. The file header reflects the vault ID used to create it:


To create a new encrypted data file with the vault ID ‘my_new_password’ assigned to it and be prompted for the password:

ansible-vault create --vault-id [email protected] foo.yml

Again, add content to the file in the editor and save. Be sure to store the new password you created at the prompt, so you can find it when you want to decrypt that file.

Encrypting existing files

To encrypt an existing file, use the ansible-vault encrypt command. This command can operate on multiple files at once. For example:

ansible-vault encrypt foo.yml bar.yml baz.yml

To encrypt existing files with the ‘project’ ID and be prompted for the password:

ansible-vault encrypt --vault-id [email protected] foo.yml bar.yml baz.yml

Viewing encrypted files

To view the contents of an encrypted file without editing it, you can use the ansible-vault view command:

ansible-vault view foo.yml bar.yml baz.yml

Editing encrypted files

To edit an encrypted file in place, use the ansible-vault edit command. This command decrypts the file to a temporary file, allows you to edit the content, then saves and re-encrypts the content and removes the temporary file when you close the editor. For example:

ansible-vault edit foo.yml

To edit a file encrypted with the vault2 password file and assigned the vault ID pass2:

ansible-vault edit --vault-id [email protected] foo.yml

Changing the password and/or vault ID on encrypted files

To change the password on an encrypted file or files, use the rekey command:

ansible-vault rekey foo.yml bar.yml baz.yml

This command can rekey multiple data files at once and will ask for the original password and also the new password. To set a different ID for the rekeyed files, pass the new ID to --new-vault-id. For example, to rekey a list of files encrypted with the ‘preprod1’ vault ID from the ‘ppold’ file to the ‘preprod2’ vault ID and be prompted for the new password:

ansible-vault rekey --vault-id [email protected] --new-vault-id [email protected] foo.yml bar.yml baz.yml

Decrypting encrypted files

If you have an encrypted file that you no longer want to keep encrypted, you can permanently decrypt it by running the ansible-vault decrypt command. This command will save the file unencrypted to the disk, so be sure you do not want to edit it instead.

ansible-vault decrypt foo.yml bar.yml baz.yml

Steps to secure your editor

Ansible Vault relies on your configured editor, which can be a source of disclosures. Most editors have ways to prevent loss of data, but these normally rely on extra plain text files that can have a clear text copy of your secrets. Consult your editor documentation to configure the editor to avoid disclosing secure data. The following sections provide some guidance on common editors but should not be taken as a complete guide to securing your editor.


You can set the following vim options in command mode to avoid cases of disclosure. There may be more settings you need to modify to ensure security, especially when using plugins, so consult the vim documentation.

  1. Disable swapfiles that act like an autosave in case of crash or interruption.

set noswapfile
  1. Disable creation of backup files.

set nobackup
set nowritebackup
  1. Disable the viminfo file from copying data from your current session.

set viminfo=
  1. Disable copying to the system clipboard.

set clipboard=

You can optionally add these settings in .vimrc for all files, or just specific paths or extensions. See the vim manual for details.


You can set the following Emacs options to avoid cases of disclosure. There may be more settings you need to modify to ensure security, especially when using plugins, so consult the Emacs documentation.

  1. Do not copy data to the system clipboard.

(setq x-select-enable-clipboard nil)
  1. Disable creation of backup files.

(setq make-backup-files nil)
  1. Disable autosave files.

(setq auto-save-default nil)