Stage 4 · Provision
Secrets & Security
Ansible Vault
Encrypting variables and files, vault IDs, and CI integration.
What Is Ansible Vault?
Ansible Vault encrypts sensitive data — passwords, API keys, certificates — so you can store them in version control. Encrypted variables look like gibberish in git but are transparent to Ansible at runtime.
Encrypting Variables
# Create an encrypted variables file
ansible-vault create secrets.yml
# Encrypt an existing file
ansible-vault encrypt group_vars/production/secrets.yml
# Encrypt a single variable inline
ansible-vault encrypt_string 'mysecret123' --name 'db_password'Encrypted files are safe to commit to git. They cannot be read without the vault password.
# group_vars/production/secrets.yml (encrypted)
db_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
66386439653236336462626566653063336164...
65623436313739346231373363396536613662...
api_key: !vault |
$ANSIBLE_VAULT;1.1;AES256
33346237396431323665383061383766653830...
30373837343862353864333231386363346566...The !vault tag indicates an encrypted value. Ansible decrypts it automatically when the vault password is provided.
Vault IDs
# Encrypt with a specific vault ID
ansible-vault encrypt --vault-id dev@prompt secrets.yml
ansible-vault encrypt --vault-id prod@prod-password.txt secrets.yml
# Create with different vault IDs
ansible-vault create --vault-id dev secrets-dev.yml
ansible-vault create --vault-id prod secrets-prod.ymlVault IDs let you use different passwords for different environments. The dev vault password does not decrypt production secrets.
# Provide vault passwords at runtime
ansible-playbook site.yml \
--vault-id dev@prompt \
--vault-id prod@prod-password.txt
# Or use a vault password file
ansible-playbook site.yml \
--vault-password-file ~/.vault_pass \
--vault-id prod@~/.vault_prod_passEach vault ID can have its own password source — prompt, file, or script. This supports multi-team environments with separate secret ownership.
Encrypting Files
# Edit encrypted file
ansible-vault edit secrets.yml
# View encrypted file
ansible-vault view secrets.yml
# Decrypt file
ansible-vault decrypt secrets.yml
# Rekey (change password)
ansible-vault rekey secrets.yml
# Encrypt a file in place
ansible-vault encrypt --in-place secrets.ymlUse edit and view for day-to-day operations. Use rekey when rotating vault passwords.
CI Integration
# In GitHub Actions
- name: Run playbook with vault
run: ansible-playbook site.yml --vault-password-file <(echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}")
# Store vault password as GitHub secret
# Settings -> Secrets -> Actions -> ANSIBLE_VAULT_PASSWORDNever store vault passwords in the repository. Use CI/CD secret stores — GitHub Secrets, GitLab CI Variables, or AWS Secrets Manager.
The vault password is the only thing protecting your secrets. Store it securely, rotate it periodically, and never commit it to git. A compromised vault password exposes all encrypted data.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.