# Ansible vault encrypt-decrypt

## Encrypt

Echo passwords through ansible-vault into a file (or files). Be sure to escape special characters (see below) or avoid them altogether.

```
" ' [ ] { } > | * & ! % # ` @ ,
```

Provide encryption password when prompted (can be different for each password)

```bash
printf "%s" <password1> | ansible-vault encrypt_string --stdin-name=<password-name1> > <password-file>.var.yml
printf "%s" <password2> | ansible-vault encrypt_string --stdin-name=<password-name2> >> <password-file>.var.yml
```

## Decrypt

Retrieve a single decrytped password from yml file containing vaulted password.

Prompt for encryption password.

```bash
ansible localhost -e '@<yaml file containing password>.yml' --ask-vault-pass -m debug -a 'var=<password-name>'
```

Or include reference to vault password if you have it stored in a file

```bash
ansible localhost -e '@<yaml file containing password>.yml' --vault-password-file ~/pw.vault -m debug -a 'var=<password-name>'
```