Introduction Ansible Vault encryption errors block playbook execution when secrets cannot be decrypted. This happens due to wrong passwords, vault ID mismatches, or corrupted vault files.

Symptoms - "ERROR! Decryption failed" or "Decryption failed (no vault secrets found)" - "Invalid padding bytes" indicating file corruption - Prompt for vault password but correct password is rejected - Different vault files encrypted with different passwords - Vault password file not found

Common Causes - Wrong vault password provided - Vault ID mismatch (--vault-id vs encrypted file) - Vault file corrupted (truncated, encoding issues) - Multiple vault passwords but only one provided - Vault password file permissions too restrictive

Step-by-Step Fix 1. **Test vault decryption with password file**: ```bash ansible-vault view secrets.yml --vault-password-file ~/.vault_pass ```

  1. 1.Check vault file header for vault ID:
  2. 2.```bash
  3. 3.head -1 secrets.yml
  4. 4.# Shows: $ANSIBLE_VAULT;1.1;AES256 (no ID)
  5. 5.# Or: $ANSIBLE_VAULT;1.2;AES256;prod (with ID)
  6. 6.`
  7. 7.Re-encrypt with correct vault ID:
  8. 8.```bash
  9. 9.ansible-vault rekey secrets.yml --vault-id old@prompt --new-vault-id new@prompt
  10. 10.`
  11. 11.Use multiple vault passwords:
  12. 12.```bash
  13. 13.ansible-playbook site.yml \
  14. 14.--vault-id dev@~/.vault_dev \
  15. 15.--vault-id prod@~/.vault_prod
  16. 16.`

Prevention - Store vault passwords in a secure password manager - Use vault IDs to manage multiple passwords - Automate vault password rotation - Back up vault files before re-encryption - Use CI/CD secret management instead of vault passwords in files