encryption/decryption utility for Ansible data files
usage: ansible-vault [-h] [--version] [-v]
{create,decrypt,edit,view,encrypt,encrypt_string,rekey}
...
can encrypt any structured data file used by Ansible. This can include group_vars/ or host_vars/ inventory variables, variables loaded by include_vars or vars_files, or variable files passed on the ansible-playbook command line with -e @file.yml or -e @file.json. Role variables and defaults are also included!
Because Ansible tasks, handlers, and other objects are data, these can also be encrypted with vault. If you’d like to not expose what variables you are using, you can keep an individual task file entirely encrypted.
--version show program’s version number, config file location, configured module search path, module location, executable location and exit
-h, --help show this help message and exit
-v, --verbose Causes Ansible to print more debug messages. Adding multiple -v will increase the verbosity, the builtin plugins currently evaluate up to -vvvvvv. A reasonable level to start is -vvv, connection debugging might require -vvvv. This argument may be specified multiple times.
create and open a file in an editor that will be encrypted with the provided vault secret when closed
--encrypt-vault-id <ENCRYPT_VAULT_ID> the vault id used to encrypt (required if more than one vault-id is provided)
--skip-tty-check allows editor to be opened when no tty attached
--vault-id the vault identity to use. This argument may be specified multiple times.
--vault-password-file, --vault-pass-file vault password file
-J, --ask-vault-password, --ask-vault-pass ask for vault password
decrypt the supplied file using the provided vault secret
--output <OUTPUT_FILE> output file name for encrypt or decrypt; use - for stdout
--vault-id the vault identity to use. This argument may be specified multiple times.
--vault-password-file, --vault-pass-file vault password file
-J, --ask-vault-password, --ask-vault-pass ask for vault password
open and decrypt an existing vaulted file in an editor, that will be encrypted again when closed
--encrypt-vault-id <ENCRYPT_VAULT_ID> the vault id used to encrypt (required if more than one vault-id is provided)
--vault-id the vault identity to use. This argument may be specified multiple times.
--vault-password-file, --vault-pass-file vault password file
-J, --ask-vault-password, --ask-vault-pass ask for vault password
open, decrypt and view an existing vaulted file using a pager using the supplied vault secret
--vault-id the vault identity to use. This argument may be specified multiple times.
--vault-password-file, --vault-pass-file vault password file
-J, --ask-vault-password, --ask-vault-pass ask for vault password
encrypt the supplied file using the provided vault secret
--encrypt-vault-id <ENCRYPT_VAULT_ID> the vault id used to encrypt (required if more than one vault-id is provided)
--output <OUTPUT_FILE> output file name for encrypt or decrypt; use - for stdout
--vault-id the vault identity to use. This argument may be specified multiple times.
--vault-password-file, --vault-pass-file vault password file
-J, --ask-vault-password, --ask-vault-pass ask for vault password
encrypt the supplied string using the provided vault secret
--encrypt-vault-id <ENCRYPT_VAULT_ID> the vault id used to encrypt (required if more than one vault-id is provided)
--output <OUTPUT_FILE> output file name for encrypt or decrypt; use - for stdout
--show-input Do not hide input when prompted for the string to encrypt
--stdin-name <ENCRYPT_STRING_STDIN_NAME> Specify the variable name for stdin
--vault-id the vault identity to use. This argument may be specified multiple times.
--vault-password-file, --vault-pass-file vault password file
-J, --ask-vault-password, --ask-vault-pass ask for vault password
-n, --name Specify the variable name. This argument may be specified multiple times.
-p, --prompt Prompt for the string to encrypt
re-encrypt a vaulted file with a new secret, the previous secret is required
--encrypt-vault-id <ENCRYPT_VAULT_ID> the vault id used to encrypt (required if more than one vault-id is provided)
--new-vault-id <NEW_VAULT_ID> the new vault identity to use for rekey
--new-vault-password-file <NEW_VAULT_PASSWORD_FILE> new vault password file for rekey
--vault-id the vault identity to use. This argument may be specified multiple times.
--vault-password-file, --vault-pass-file vault password file
-J, --ask-vault-password, --ask-vault-pass ask for vault password
The following environment variables may be specified.
ANSIBLE_CONFIG – Override the default ansible config file
Many more are available for most options in ansible.cfg
/etc/ansible/ansible.cfg – Config file, used if present
~/.ansible.cfg – User config file, overrides the default config if present
Ansible is released under the terms of the GPLv3+ License.
ansible(1), ansible-config(1), ansible-console(1), ansible-doc(1), ansible-galaxy(1), ansible-inventory(1), ansible-playbook(1), ansible-pull(1),
© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/cli/ansible-vault.html