The ansible-vault command can be used to perform a number of tasks.
Additionally, there are a few command line options to be aware of.
The ansible-vault edit command can be used to edit a file that has been encrypted by the ansible-vault command. Let's say foo.yml is encrypted.
Before editing the file, you'll want to determine if the file was encrypted using a certain vault it. In this example, the file was encrypted using the "test" id.
~]$ cat foo.txt
$ANSIBLE_VAULT;1.2;AES256;test
38626262613533326438383838363032346366643231633838393661633061633830383832643062
6666663233666435636165323038653462343732343264310a616532376238616537613832363565
63336561303230626332326436303830356335343061386333636131386435316633396464353832
3631303831333164610a393266346630313635313831626639303961663330333736393236373032
3062
The following command can be used to edit foo.txt.
ansible-vault edit foo.txt
You will be prompted for the vault password.
Vault password:
Or, to avoid being prompted for the vault password, if the file is not associated with a vault id, the --vault-password-file command line option can be used.
ansible-vault edit --vault-password-file /usr/local/vault/.vault_password.txt foo.txt
If the file is associated with a vault id, the --vault-id command line option can be used.
ansible-vault edit --vault-id test@/usr/local/ansible/vault/.vault_password.txt foo.txt
After providing the valid vault password, the file will open in your default editor, and you will be able to modify the file.