ansible rekey
November 01, 2025
Create new key:
openssl ecparam -name prime256v1 -genkey -noout -out private.ec.key
Save key in 1password:
op document create private.ec.key --title "Ansible Vault EC Key" --vault "Private"
Test that you can get the key back out:
op read "op://Private/Ansible Vault EC Key/private.ec.key"
Shred old key:
shred -u private.ec.key
Edit your ansible config file and change the current value of vault_password_file to point to the old vault password file:
vault_password_file = vaultpw-old.sh
Run the rekey command:
ansible-vault rekey --new-vault-password-file=vaultpw-new.sh your-vault-file.yml
The contents of vaultpw-new.sh should be:
#!/bin/bash
op read "op://Private/Ansible Vault EC Key/private.ec.key"
To rekey all yoour vault files, you can use find:
find . -type f \( -name "*.yml" -o -name "*.yaml" \) | while read file; do
if head -1 "$file" 2>/dev/null | grep -q '$ANSIBLE_VAULT;'; then
echo "Rekeying: $file"
ansible-vault rekey --new-vault-password-file=vaultpw.sh "$file"
fi
done
Finally, update your ansible config file to point to the new vault password file:
vault_password_file = vaultpw-new.sh