NAME

       ansible-vault - manage encrypted ansible vars files (YAML).

SYNOPSIS

       ansible-vault [create|decrypt|edit|encrypt|rekey] [--help] [options] file_name

DESCRIPTION

       ansible-vault can encrypt any structured data file used by Ansible. This can include
       group_vars/ or host_vars/ inventory variables, variables loaded by include_vars or
       vars_files, or variable files passed on the ansible-playbook command line with -e
       @file.yml or -e @file.json. Role variables and defaults are also included!

       Because Ansible tasks, handlers, and so on are also data, these can also be encrypted with
       vault. If you’d like to not betray what variables you are even using, you can go as far to
       keep an individual task file entirely encrypted.

       The password used with vault currently must be the same for all files you wish to use
       together at the same time.

COMMON OPTIONS

       The following options are available to all sub-commands:

       --vault-password-file=FILE
           A file containing the vault password to be used during the encryption/decryption
           steps. Be sure to keep this file secured if it is used. If the file is executable, it
           will be run and its standard output will be used as the password.

       --new-vault-password-file=FILE
           A file containing the new vault password to be used when rekeying a file. Be sure to
           keep this file secured if it is used. If the file is executable, it will be run and
           its standard output will be used as the password.

       -h, --help
           Show a help message related to the given sub-command.

       If --valut-password-file is not supplied ansib-vault will automatically prompt for
       passwords as required.

CREATE

       $ ansible-vault create [options] FILE

       The create sub-command is used to initialize a new encrypted file.

       After providing a password, the tool will launch whatever editor you have defined with
       $EDITOR, and defaults to vim. Once you are done with the editor session, the file will be
       saved as encrypted data.

       The default cipher is AES (which is shared-secret based).

EDIT

       $ ansible-vault edit [options] FILE

       The edit sub-command is used to modify a file which was previously encrypted using
       ansible-vault.

       This command will decrypt the file to a temporary file and allow you to edit the file,
       saving it back when done and removing the temporary file.

REKEY

       $ ansible-vault rekey [options] FILE_1 [FILE_2, ..., FILE_N]

       The rekey command is used to change the password on a vault-encrypted files. This command
       can update multiple files at once.

ENCRYPT

       $ ansible-vault encrypt [options] FILE_1 [FILE_2, ..., FILE_N]

       The encrypt sub-command is used to encrypt pre-existing data files. As with the rekey
       command, you can specify multiple files in one command.

       The encrypt command accepts an --output FILENAME option to determine where encrypted
       output is stored. With this option, input is read from the (at most one) filename given on
       the command line; if no input file is given, input is read from stdin. Either the input or
       the output file may be given as - for stdin and stdout respectively. If neither input nor
       output file is given, the command acts as a filter, reading plaintext from stdin and
       writing it to stdout.

       Thus any of the following invocations can be used:

       $ ansible-vault encrypt

       $ ansible-vault encrypt --output OUTFILE

       $ ansible-vault encrypt INFILE --output OUTFILE

       $ echo secret|ansible-vault encrypt --output OUTFILE

       Reading from stdin and writing only encrypted output is a good way to prevent sensitive
       data from ever hitting disk (either interactively or from a script).

DECRYPT

       $ ansible-vault decrypt [options] FILE_1 [FILE_2, ..., FILE_N]

       The decrypt sub-command is used to remove all encryption from data files. The files will
       be stored as plain-text YAML once again, so be sure that you do not run this command on
       data files with active passwords or other sensitive data. In most cases, users will want
       to use the edit sub-command to modify the files securely.

       As with encrypt, the decrypt subcommand also accepts the --output FILENAME option to
       specify where plaintext output is stored, and stdin/stdout is handled as described above.

AUTHOR

       Ansible was originally written by Michael DeHaan. See the AUTHORS file for a complete list
       of contributors.

COPYRIGHT

       Copyright © 2014, Michael DeHaan

       Ansible is released under the terms of the GPLv3 License.

SEE ALSO

       ansible(1), ansible-pull(1), ansible-doc(1), ansible-playbook(1), ansible-galaxy(1)

       Extensive documentation is available in the documentation site: http://docs.ansible.com.
       IRC and mailing list info can be found in file CONTRIBUTING.md, available in:
       https://github.com/ansible/ansible