Skip to main content

Roll keys and re-encrypt secrets in any repo using Ansible Vault

Project description

ansible-vault-rekey Documentation Status Updates Python version supported

Roll keys and re-encrypt secrets in any repo using Ansible Vault


WARNING: Very few guardrails present. Running this without options will overwrite data by default.

Known issues / caveats:

  • Shows a callous disregard for whitespace and comments

  • Assumes it’s in a playbook directory if -r isn’t provided

  • Will casually write secrets to STDOUT in –debug mode

$ ansible-vault-rekey --help
Usage: ansible-vault-rekey [OPTIONS]

  (Re)keys Ansible Vault repos.

  --dry-run                 Skip any action that would overwrite an original
  -k, --keep-backups        Keep unencrypted copies of files after a
                            successful rekey.
  -r, --code-path TEXT      Path to Ansible code.
  -p, --password-file TEXT  Path to password file. Default: vault-password.txt
  -v, --vars-file TEXT      Only operate on the file specified. Default is to
                            check every YAML file in Ansible role/play dirs
                            for encrypted assets.
  --help                    Show this message and exit.

You can confirm that your secrets were rencryped properly by running debug on an encrypted var or file. eg:

ansible --vault-password-file vault-password.txt -e "@group_vars/all.yml" -i localhost, -c local -m debug -a var=somesecurevar localhost


pip install ansible-vault-rekey

We have dependencies a couple of layers down which need to compile crypto libraries if you haven’t already got them. On most systems, you’ll need the following:

  • libffi-dev / libffi-devel

  • libssl-dev / openssl-devel

  • gcc


  • TODO


With Docker (recommended):

docker build -t tmp . && docker run --rm -it -w /workspace -v $(pwd):/workspace tmp


pip install -r requirements.txt pytest & python -m pytest tests/*.py


This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.


2.0.1 (2020-12-31)

  • Fix improper encrypting YAML files

2.0.0 (2020-12-31)

  • Fix dependencies errors

  • Dropped support for Python2 and Python 3.5

  • Added support for Python 3.7, 3.8, 3.9

0.1.0 (2017-10-31)

  • First release on PyPI.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ansible-vault-rekey-2.0.1.tar.gz (11.9 kB view hashes)

Uploaded source

Built Distribution

ansible_vault_rekey-2.0.1-py2.py3-none-any.whl (10.2 kB view hashes)

Uploaded py2 py3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page