Skip to main content

Roll keys and re-encrypt secrets in any repo using Ansible Vault

Project description

ansible-vault-rekey Documentation Status Updates Python 3

Roll keys and re-encrypt secrets in any repo using Ansible Vault


WARNING: Very few guardrails present. Running this without options will overwrite data by default.

Known issues / caveats:

  • Shows a callous disregard for whitespace and comments
  • Assumes it’s in a playbook directory if -r isn’t provided
  • Will casually write secrets to STDOUT in –debug mode
$ ansible-vault-rekey --help
Usage: ansible-vault-rekey [OPTIONS]

  (Re)keys Ansible Vault repos.

  --dry-run                 Skip any action that would overwrite an original
  -k, --keep-backups        Keep unencrypted copies of files after a
                            successful rekey.
  -r, --code-path TEXT      Path to Ansible code.
  -p, --password-file TEXT  Path to password file. Default: vault-password.txt
  -v, --vars-file TEXT      Only operate on the file specified. Default is to
                            check every YAML file in Ansible role/play dirs
                            for encrypted assets.
  --help                    Show this message and exit.


We have dependencies a couple of layers down which need to compile crypto libraries if you haven’t already got them. On most systems, you’ll need the following:

  • libffi-dev / libffi-devel
  • libssl-dev / openssl-devel
  • gcc


  • TODO


With Docker (recommended):

docker build -t tmp . && docker run --rm -it -w /workspace -v $(pwd):/workspace tmp


pip install -r requirements.txt -r requirements_dev.txt && python2.7 -m pytest tests/*.py


This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.


0.1.0 (2017-10-31)

  • First release on PyPI.

Project details

Release history Release notifications

This version
History Node


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
ansible_vault_rekey-1.0.0-py2.py3-none-any.whl (10.7 kB) Copy SHA256 hash SHA256 Wheel py2.py3
ansible-vault-rekey-1.0.0.tar.gz (12.6 kB) Copy SHA256 hash SHA256 Source None

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN SignalFx SignalFx Supporter DigiCert DigiCert EV certificate StatusPage StatusPage Status page