Bootstrap FreeKB - Ansible - ansible-vault decrypt command
Ansible - ansible-vault decrypt command

Updated:   |  Ansible articles

The ansible-vault command can be used to perform a number of tasks.

Additionally, there are a few command line options to be aware of.


The ansible-vault decrypt command is used to decrypt a file that was encrypted by the ansible-vault command. Let's say vault.yml was encrypted by the ansbile-vault command.

Before decrypting the file, you'll want to determine if the file was encrypted using a certain vault id. In this example, the file was encrypted using the "test" id.

~]$ cat vault.yml


The following command will decrypt the file.

ansible-vault decrypt vault.yml


You will be prompted to for the vault password.

Vault password:


Or, to avoid being prompted for the vault password, if the file is not associated with a vault id, the --vault-password-file command line option can be used.

ansible-vault decrypt --vault-password-file /usr/local/ansible/vault/.vault_password.txt vault.yml


If the file is associated with a vault id, the --vault-id command line option can be used.

ansible-vault decrypt --vault-id test@/usr/local/ansible/vault/.vault_password.txt vault.yml


Or you could set the vault_password_file directive in your ansible.cfg file.

vault_password_file = /usr/local/ansible/vault/.vault_password.txt


In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass--vault-password-file--vault-id).

ansible-vault decrypt vault.yml


If the file was successful decrypted, the following will be displayed.

Decryption successful


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Add a Comment

Please enter df2d71 in the box below so that we can be sure you are a human.