The ansible-vault command can be used to perform a number of tasks.
- ansible-vault create - create an encrypted file
- ansible-vault decrypt - decrypt and encrypted file
- ansible-vault edit - edit an encrypted file
- ansible-vault encrypt - encrypt a non-encrypted file
- ansible-vault encrypt_string - encrypt a string
- ansible-vault rekey - change password used to view or decrypt an encrypted file
- ansible-vault view - view the cleartext contents of an encryped file
Additionally, there are a few command line options to be aware of.
- --ask-vault-pass - prompt for the vault password
- --vault-id - use a specific users password in a file
- --vault-password-file - use a single password in a file (or the vault_password_file directive in ansible.cfg)
The ansible-vault rekey command can be used to change the vault password of a file that was encrypted by the ansible-vault command.
If you use the ansible-vault rekey command to change the password of a vault encrypted file, the content of vault encrypted file will be changed, thus any playbook that is using the content of the encrypted file will need to be updated with the new encrypted string.
If the vault_password_file directive in ansible.cfg is being used to get the vault password from a file, you will not be prompted for the new vault password when attempting to rekey the vault encrypted file, which is probably not what you want. In this scenario, you can use the --ask-vault-pass, or comment out the vault_password_file directive in ansible.cfg, or update the vault password file to have the new password being used in the rekey.
Let's say foo.yml is encrypted. The following command will change the vault password of foo.yml.
ansible-vault rekey foo.yml
You will be prompted for the current vault password.
After providing the current vault password, you will be prompted to create the new vault password.
New Vault password:
After providing the new vault password, the following will be displayed.
Refer to this article for the steps on how to configure passwordless authentication with the ansible-vault command.