Manage encrypted Ansible secrets with ansible-vault. Use when you need to encrypt vars files, rekey secret material, or supply vault identities safely during playbook runs.
Use this skill to keep secrets encrypted in Git while still feeding them into playbooks safely.
group_vars, host_vars, or dedicated secret filesencrypt_stringansible-vault.--vault-id or --vault-password-file.no_log: true to tasks that may surface secret values.ansible-vault encrypt group_vars/prod/secrets.yml --vault-id prod@prompt
ansible-vault view group_vars/prod/secrets.yml --vault-id prod@~/.ansible/prod.vault
ansible-vault rekey group_vars/prod/secrets.yml --vault-id prod@prompt --new-vault-id prod@~/.ansible/new-prod.vault
ansible-vault encrypt_string --vault-id prod@prompt --name db_password supersecret
# Encrypt a file
ANSIBLE_VAULT_ACTION=encrypt \
ANSIBLE_VAULT_TARGET=group_vars/prod/secrets.yml \
ANSIBLE_VAULT_ID=prod@prompt \
./scripts/manage-vault.sh
# Encrypt a single inline variable
ANSIBLE_VAULT_ACTION=encrypt-string \
ANSIBLE_VAULT_ID=prod@prompt \
ANSIBLE_VAULT_NAME=db_password \
ANSIBLE_VAULT_STRING=supersecret \
./scripts/manage-vault.sh
create and edit are interactive and require a terminal.