| Name | ansible-vault-keys JSON |
| Version |
0.2.2
JSON |
| download |
| home_page | None |
| Summary | Selective encryption of YAML keys using Ansible Vault, with full round-trip support |
| upload_time | 2025-08-23 20:48:04 |
| maintainer | None |
| docs_url | None |
| author | None |
| requires_python | >=3.8 |
| license | None |
| keywords |
ansible
vault
yaml
encryption
cli
|
| VCS |
|
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
# ansible-vault-keys
[](https://pypi.org/project/ansible-vault-keys/)
Selective encryption of YAML keys using Ansible Vault — with full round-trip support.
## ✨ Why?
Ansible Vault is great for securing secrets, but encrypting entire files makes them opaque and hard to document.
This tool lets you encrypt only the sensitive keys in your YAML files, preserving:
- ✅ Comments
- ✅ Key order
- ✅ Formatting
- ✅ Readability
No more guessing what's inside a vault-encrypted blob. Just mark the keys you want to encrypt, and keep the rest visible.
## 🧙♂️ Philosophy
This tool is itended to be a _companion_ to `ansible-vault`, not a replacement. It’s built for clarity, maintainability, and expressive workflows — especially when documenting or collaborating on infrastructure.
Think of it as a scribe that encrypts only what must be hidden, while preserving the story around it. In keeping with the design goals - Your YAML remains readable, annotated, and collaborative — even when secrets are tucked away.
## 🚀 Quickstart
Encrypt selected keys in a YAML file:
```bash
ansible-vault-keys encrypt somevars.yaml
```
Decrypt them later:
```bash
ansible-vault-keys decrypt somevars.yaml
```
View decrypted values without modifying the file
```bash
ansible-vault-keys view somevars.yaml
```
### 🧾 Before
```yaml
# somevars.yaml
plain: value
# this one is sensitive v
password: somesensitivevalue
user: bob
# so is this one v
apikey: nue6756be8cs83jn2l4
encrypted_keys: [password, apikey]
```
### 🔐 After Encryption
```yaml
# somevars.yaml
plain: value
# this one is sensitive v
password: !vault | # 🔐 Encrypted keys are marked with !vault
$ANSIBLE_VAULT;1.1;AES256
...
user: bob
# so is this one v
apikey: !vault | # 🔐 Encrypted keys are marked with !vault
$ANSIBLE_VAULT;1.1;AES256
...
encrypted_keys: [password, apikey]
```
```🔐 Encrypted keys are marked with !vault``` This comment is for illustration only — it’s not included in the actual output.
#### Commands Table:
| Command | Description |
|--------|-------------|
| `encrypt` | Encrypts keys listed in `encrypted_keys` or specified with --keys |
| `decrypt` | Decrypts all vault-encrypted values |
| `view` | Displays decrypted values without modifying the file |
#### Flags Table:
| Flag | Description |
|------|-------------|
| `--dry-run` | Show changes without writing to file |
| `--vault-password-file` | Path to vault password file (default: `vault.password`) |
| `--keys` | Merge with `encrypted_keys` list from YAML |
### **Clarify the `--keys` Behavior**
> ⚠️ Note: `--keys` are merged with any existing `encrypted_keys` list during encryption.
### Usage:
```bash
usage: ansible-vault-keys [-h] [--output [OUTPUT]] [--vault-password-file VAULT_PASSWORD_FILE] [--keys KEYS [KEYS ...]] [--dry-run] {encrypt,decrypt,view} input
Selectively encrypt sensitive variables
positional arguments:
{encrypt,decrypt,view}
Command to execute
input Path to input YAML file
options:
-h, --help show this help message and exit
--output [OUTPUT] Path to output YAML file (optional), defaults to input file, will clobber without warning
--vault-password-file VAULT_PASSWORD_FILE
Path to vault password file
--keys KEYS [KEYS ...]
Keys to encrypt
--dry-run Show changes without writing to file
```
## 📦 Install
Install locally for CLI use:
```bash
pip install .
```
Or build a wheel:
```bash
python -m build
```
After installation, the ansible-vault-keys command will be available in your shell.
## 📝 License
MIT
Raw data
{
"_id": null,
"home_page": null,
"name": "ansible-vault-keys",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": null,
"keywords": "ansible, vault, yaml, encryption, cli",
"author": null,
"author_email": "Joe DeKeyrel <joedekeyrel@email.com>",
"download_url": "https://files.pythonhosted.org/packages/ec/03/571c0d6d9fde248ee178a7bc71cc4f41bfffb2d0ca6d917941ece9e64918/ansible_vault_keys-0.2.2.tar.gz",
"platform": null,
"description": "# ansible-vault-keys\n\n\n\n\n\n\n\n[](https://pypi.org/project/ansible-vault-keys/)\n\n\n\nSelective encryption of YAML keys using Ansible Vault \u2014 with full round-trip support.\n\n## \u2728 Why?\n\nAnsible Vault is great for securing secrets, but encrypting entire files makes them opaque and hard to document. \n\nThis tool lets you encrypt only the sensitive keys in your YAML files, preserving:\n\n- \u2705 Comments\n- \u2705 Key order\n- \u2705 Formatting\n- \u2705 Readability\n\nNo more guessing what's inside a vault-encrypted blob. Just mark the keys you want to encrypt, and keep the rest visible.\n\n## \ud83e\uddd9\u200d\u2642\ufe0f Philosophy\n\nThis tool is itended to be a _companion_ to `ansible-vault`, not a replacement. It\u2019s built for clarity, maintainability, and expressive workflows \u2014 especially when documenting or collaborating on infrastructure.\n\nThink of it as a scribe that encrypts only what must be hidden, while preserving the story around it. In keeping with the design goals - Your YAML remains readable, annotated, and collaborative \u2014 even when secrets are tucked away.\n\n## \ud83d\ude80 Quickstart\n\nEncrypt selected keys in a YAML file:\n\n```bash\nansible-vault-keys encrypt somevars.yaml\n```\n\nDecrypt them later:\n```bash\nansible-vault-keys decrypt somevars.yaml\n```\n\nView decrypted values without modifying the file\n```bash\nansible-vault-keys view somevars.yaml\n```\n\n### \ud83e\uddfe Before\n\n```yaml\n# somevars.yaml\nplain: value\n# this one is sensitive v\npassword: somesensitivevalue\nuser: bob\n# so is this one v\napikey: nue6756be8cs83jn2l4\nencrypted_keys: [password, apikey]\n```\n\n### \ud83d\udd10 After Encryption\n\n```yaml\n# somevars.yaml\nplain: value\n# this one is sensitive v\npassword: !vault | # \ud83d\udd10 Encrypted keys are marked with !vault\n $ANSIBLE_VAULT;1.1;AES256\n ...\nuser: bob\n# so is this one v\napikey: !vault | # \ud83d\udd10 Encrypted keys are marked with !vault\n $ANSIBLE_VAULT;1.1;AES256\n ...\nencrypted_keys: [password, apikey]\n```\n\n```\ud83d\udd10 Encrypted keys are marked with !vault``` This comment is for illustration only \u2014 it\u2019s not included in the actual output.\n\n\n#### Commands Table:\n| Command | Description |\n|--------|-------------|\n| `encrypt` | Encrypts keys listed in `encrypted_keys` or specified with --keys |\n| `decrypt` | Decrypts all vault-encrypted values |\n| `view` | Displays decrypted values without modifying the file |\n\n#### Flags Table:\n| Flag | Description |\n|------|-------------|\n| `--dry-run` | Show changes without writing to file |\n| `--vault-password-file` | Path to vault password file (default: `vault.password`) |\n| `--keys` | Merge with `encrypted_keys` list from YAML |\n\n### **Clarify the `--keys` Behavior**\n\n> \u26a0\ufe0f Note: `--keys` are merged with any existing `encrypted_keys` list during encryption.\n\n### Usage:\n```bash\nusage: ansible-vault-keys [-h] [--output [OUTPUT]] [--vault-password-file VAULT_PASSWORD_FILE] [--keys KEYS [KEYS ...]] [--dry-run] {encrypt,decrypt,view} input\n\nSelectively encrypt sensitive variables\n\npositional arguments:\n {encrypt,decrypt,view}\n Command to execute\n input Path to input YAML file\n\noptions:\n -h, --help show this help message and exit\n --output [OUTPUT] Path to output YAML file (optional), defaults to input file, will clobber without warning\n --vault-password-file VAULT_PASSWORD_FILE\n Path to vault password file\n --keys KEYS [KEYS ...]\n Keys to encrypt\n --dry-run Show changes without writing to file\n```\n\n\n## \ud83d\udce6 Install\n\nInstall locally for CLI use:\n```bash\npip install .\n```\n\nOr build a wheel:\n```bash\npython -m build\n```\n\nAfter installation, the ansible-vault-keys command will be available in your shell.\n\n## \ud83d\udcdd License\nMIT\n",
"bugtrack_url": null,
"license": null,
"summary": "Selective encryption of YAML keys using Ansible Vault, with full round-trip support",
"version": "0.2.2",
"project_urls": null,
"split_keywords": [
"ansible",
" vault",
" yaml",
" encryption",
" cli"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "ba8292b50018bd49243438af25a64baf9e6e0399e1eda54fd7d3ce6b4daa64cf",
"md5": "e27e3b36e67bb044004671ef5aad7d11",
"sha256": "65919eb10add6988f87a2efb172932377c2d22fcd79680d881237a65c085771b"
},
"downloads": -1,
"filename": "ansible_vault_keys-0.2.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "e27e3b36e67bb044004671ef5aad7d11",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 9197,
"upload_time": "2025-08-23T20:48:03",
"upload_time_iso_8601": "2025-08-23T20:48:03.521861Z",
"url": "https://files.pythonhosted.org/packages/ba/82/92b50018bd49243438af25a64baf9e6e0399e1eda54fd7d3ce6b4daa64cf/ansible_vault_keys-0.2.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "ec03571c0d6d9fde248ee178a7bc71cc4f41bfffb2d0ca6d917941ece9e64918",
"md5": "ab199d7974262a877db08a76789dde04",
"sha256": "5e2a7058b94cd6dab5b8dfc4733676c81332b59a6baed537bee515c6ed1d074b"
},
"downloads": -1,
"filename": "ansible_vault_keys-0.2.2.tar.gz",
"has_sig": false,
"md5_digest": "ab199d7974262a877db08a76789dde04",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 12887,
"upload_time": "2025-08-23T20:48:04",
"upload_time_iso_8601": "2025-08-23T20:48:04.759376Z",
"url": "https://files.pythonhosted.org/packages/ec/03/571c0d6d9fde248ee178a7bc71cc4f41bfffb2d0ca6d917941ece9e64918/ansible_vault_keys-0.2.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-23 20:48:04",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "ansible-vault-keys"
}
