Introduction
Ansible Vault encrypts sensitive data like passwords, API keys, and certificates. When vault decryption fails, playbooks cannot access secrets and immediately fail. The failure can stem from incorrect passwords, vault ID mismatches, password file issues, or corrupted encrypted files. Understanding Ansible Vault's architecture and password handling is essential for resolving these errors quickly.
Symptoms
Decryption failed with password error:
```bash $ ansible-playbook site.yml --ask-vault-pass Vault password: ERROR! Attempting to decrypt but no vault secrets found
# Or: $ ansible-vault view secrets.yml Vault password: ERROR! Decryption failed (no vault secrets found) on secrets.yml ```
Password incorrect error:
$ ansible-vault decrypt secrets.yml
Vault password:
ERROR! Decryption failed on secrets.ymlVault ID mismatch:
$ ansible-playbook site.yml --vault-id dev@prompt
Vault password (dev):
ERROR! Decryption failed (vault-id mismatch) on group_vars/production/vault.ymlFile corruption indicators:
$ ansible-vault view secrets.yml
Vault password:
ERROR! Decryption failed on secrets.yml: Invalid padding bytesMultiple vault password issues:
$ ansible-playbook site.yml
ERROR! The vault password file /home/user/.vault_pass was not foundWrong vault password file format:
$ ansible-playbook site.yml --vault-password-file ~/.vault_pass
ERROR! The vault password file must contain a single line with the vault passwordCommon Causes
1. Wrong Vault Password
Simple password mismatch:
# Original password: MySecret123
# User enters: MySecret12 (typo)2. Multiple Vault IDs Without All Passwords
File encrypted with vault ID but wrong password provided:
# File header shows vault ID
$ANSIBLE_VAULT;1.2;AES256;production
# But only dev password was provided3. Vault Password File Issues
Password file contains extra whitespace or newlines:
$ cat ~/.vault_pass
my_password
# Extra newline at end!4. File Corruption
Vault file truncated or modified:
$ head -3 secrets.yml
$ANSIBLE_VAULT;1.1;AES256
303161393534303436643735383039...
# File was truncated here - incomplete5. Encoding Issues
File saved with wrong encoding:
$ file secrets.yml
secrets.yml: UTF-8 Unicode (with BOM) text
# BOM can cause issues6. Vault Password File Permission Issues
Password file not readable:
$ ls -la ~/.vault_pass
-rw------- 1 other other 15 Jan 1 12:00 /home/user/.vault_pass
# Wrong owner!Step-by-Step Fix
Step 1: Verify Vault File Format
Check the vault file header:
```bash # View first line to check format and vault ID head -1 secrets.yml
# Possible outputs: $ANSIBLE_VAULT;1.1;AES256 # Version 1.1, no vault ID $ANSIBLE_VAULT;1.2;AES256 # Version 1.2, no vault ID $ANSIBLE_VAULT;1.2;AES256;production # Version 1.2 with vault ID "production" ```
Check file integrity:
```bash # File should start with $ANSIBLE_VAULT head -1 secrets.yml | grep "^\$ANSIBLE_VAULT" echo "Exit code: $?"
# Check for non-printable characters cat -A secrets.yml | head -5
# Check file encoding file secrets.yml ```
Step 2: Test Decryption Interactively
Test with password prompt:
```bash # Try viewing the file ansible-vault view secrets.yml
# Try with specific vault ID ansible-vault view secrets.yml --vault-id production@prompt
# Try with password file ansible-vault view secrets.yml --vault-password-file ~/.vault_pass ```
Step 3: Fix Vault Password File Issues
Create or fix password file:
```bash # Create password file without trailing newline echo -n "your_password" > ~/.vault_pass chmod 600 ~/.vault_pass
# Or use printf printf '%s' 'your_password' > ~/.vault_pass
# Verify no extra characters xxd ~/.vault_pass hexdump -C ~/.vault_pass
# Should show only password characters, no 0a (newline) at end ```
Configure ansible.cfg for vault password file:
```ini # ansible.cfg [defaults] vault_password_file = ~/.vault_pass
# Or for multiple password files vault_identity_list = dev@~/.vault_dev, prod@~/.vault_prod ```
Step 4: Handle Multiple Vault IDs
Configure multiple vault passwords:
```bash # Use vault-id for multiple passwords ansible-playbook site.yml \ --vault-id dev@~/.vault_dev \ --vault-id prod@~/.vault_prod \ --vault-id staging@prompt
# Or configure in ansible.cfg [defaults] vault_identity_list = dev@~/.vault_dev,prod@~/.vault_prod,staging@prompt vault_identity_match = true ```
Re-encrypt file with correct vault ID:
```bash # Re-encrypt with specific vault ID ansible-vault rekey secrets.yml --vault-id old@prompt --new-vault-id prod@prompt
# Encrypt unencrypted file with vault ID ansible-vault encrypt secrets.yml --vault-id prod@prompt
# Change vault ID of encrypted file ansible-vault rekey secrets.yml --ask-vault-pass --new-vault-id production@prompt ```
Step 5: Rekey Vault Files
Change vault password:
```bash # Interactive rekey ansible-vault rekey secrets.yml # Enter old password # Enter new password
# Rekey with password files ansible-vault rekey secrets.yml \ --vault-password-file ~/.old_pass \ --new-vault-password-file ~/.new_pass
# Rekey with vault IDs ansible-vault rekey secrets.yml \ --vault-id old@~/.old_pass \ --new-vault-id new@~/.new_pass
# Rekey multiple files for f in group_vars/*/vault.yml; do ansible-vault rekey "$f" --vault-id prod@~/.vault_prod done ```
Step 6: Fix Corrupted Vault Files
Attempt to identify corruption:
```bash # Check if file is base64 encoded properly base64 -d secrets.yml 2>/dev/null | head -5 || echo "Invalid base64"
# Try decryption with verbose error ansible-vault view secrets.yml -vvv 2>&1 | grep -i error
# Check file size matches expected wc -l secrets.yml ```
Restore from backup:
```bash # If you have git history git show HEAD~5:secrets.yml > secrets.yml
# If you have backups cp /backup/secrets.yml secrets.yml ```
Step 7: Create Vault Password Management Script
Automate vault password handling:
```bash #!/bin/bash # vault_manager.sh
VAULT_DIR="$HOME/.vault" mkdir -p "$VAULT_DIR"
case "$1" in init) # Initialize vault passwords read -s -p "Enter production vault password: " prod_pass echo echo -n "$prod_pass" > "$VAULT_DIR/prod" chmod 600 "$VAULT_DIR/prod" echo "Production vault password saved" ;;
encrypt) # Encrypt file with production vault ansible-vault encrypt "$2" --vault-id prod@$VAULT_DIR/prod ;;
decrypt) # Decrypt file ansible-vault decrypt "$2" --vault-id prod@$VAULT_DIR/prod ;;
view) # View encrypted file ansible-vault view "$2" --vault-id prod@$VAULT_DIR/prod ;;
rekey) # Rekey all vault files find . -name "vault.yml" -exec ansible-vault rekey {} --vault-id prod@$VAULT_DIR/prod \; ;;
*) echo "Usage: $0 {init|encrypt|decrypt|view|rekey} [file]" exit 1 ;; esac ```
Step 8: Validate Vault Configuration
Create validation playbook:
```yaml # validate_vault.yml - name: Validate vault configuration hosts: localhost gather_facts: false vars: vault_files: - group_vars/production/vault.yml - group_vars/staging/vault.yml - host_vars/db-server/vault.yml
tasks: - name: Check vault files exist stat: path: "{{ item }}" register: vault_stat loop: "{{ vault_files }}" failed_when: false
- name: Report missing vault files
- debug:
- msg: "WARNING: {{ item.item }} does not exist"
- when: not item.stat.exists
- loop: "{{ vault_stat.results }}"
- name: Test vault decryption
- command: ansible-vault view {{ item }} --vault-id prod@~/.vault/prod
- loop: "{{ vault_files }}"
- changed_when: false
- register: decrypt_test
- failed_when: decrypt_test.rc != 0
- name: Report decryption status
- debug:
- msg: "{{ item.item }}: {{ 'OK' if item.rc == 0 else 'FAILED' }}"
- loop: "{{ decrypt_test.results }}"
`
Verification
Test vault decryption:
```bash # View encrypted file ansible-vault view secrets.yml
# Expected: file contents displayed without error
# Edit encrypted file ansible-vault edit secrets.yml
# Encrypt a test file echo "test: value" > test.yml ansible-vault encrypt test.yml ansible-vault view test.yml rm test.yml ```
Test playbook with vault:
```bash # Run playbook with vault password ansible-playbook site.yml --ask-vault-pass
# Or with password file ansible-playbook site.yml --vault-password-file ~/.vault_pass
# Or with vault ID ansible-playbook site.yml --vault-id prod@~/.vault_prod
# Expected: playbook runs without vault errors ```
Verify vault configuration:
```bash # Check ansible.cfg vault settings ansible-config dump | grep vault
# Test vault password file cat ~/.vault_pass | wc -c # Should be password length only, no extra characters
# List vault identities ansible-vault view secrets.yml --list-vault-ids ```
Related Issues
- [ansible-vault-password-rotation](/articles/ansible-vault-password-rotation)
- [ansible-multiple-vault-ids](/articles/ansible-multiple-vault-ids)
- [ansible-vault-in-ci-cd](/articles/ansible-vault-in-ci-cd)
Related Articles
- [WordPress troubleshooting: Ansible Artifact Download Uses an Old Mi](ansible-artifact-download-uses-an-old-mirror-after-proxy-change)
- [WordPress troubleshooting: Ansible Audit Trail Misses Events Under ](ansible-audit-trail-misses-events-under-burst-load)
- [WordPress troubleshooting: Ansible Background Worker Gets Stuck in ](ansible-background-worker-stuck-in-a-retry-loop)
- [WordPress troubleshooting: Ansible Backup Completes but Restore Fai](ansible-backup-completes-but-restore-fails-checksum-validation)
- [WordPress troubleshooting: Ansible Batch Importer Duplicates Rows A](ansible-batch-importer-duplicates-rows-after-a-retry)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "WordPress troubleshooting: Ansible Vault Encrypt/Decrypt Failed - P", "description": "Learn how to fix Ansible Vault Encrypt/Decrypt Failed - Password Incorrect. Professional WordPress troubleshooting solutions with step-by-step guidance. WP error fix, WordPress optimization, WP security, WordPress performance.", "url": "https://www.fixwikihub.com/ansible-vault-encrypt-decrypt-failed", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2025-12-15T09:12:01.910Z", "dateModified": "2025-12-15T09:12:01.910Z" } </script>