Encrypt and decrypt Ansible Vault secrets online. Supports the standard AES256 vault format (version 1.1). Paste your vault ciphertext and password to instantly decrypt, or encrypt plaintext into a vault-compatible block. 100% client-side.
Supported Tools:
Encrypt plaintext secrets or decrypt Ansible Vault strings directly in your browser. No Python, no CLI, no installation required. Fully compatible with Ansible Vault 1.1 AES256 format.
Ansible Vault is a built-in Ansible feature that lets you encrypt sensitive data such as passwords, API keys, and configuration secrets inside playbooks and variable files. Encrypted values begin with $ANSIBLE_VAULT and can only be decrypted using the correct vault password. This tool implements the same AES-256-CTR algorithm used by Ansible, so you can encrypt and decrypt vault strings directly in your browser without running any Ansible commands.
Input:
$ANSIBLE_VAULT;1.1;AES256 36333932343139356634346437393963333636663234333031363733313335646638613237313532 3033363464323433643533653633356264663265333936630a393030656663636232316263386361 65353636663334363434323862323332383332653362643833373132626335303637356463663162 3637323966383336390a386539653637643038303261646635636333326230663862333936356435 3939 Vault Password: keydecryptor
Output:
keydecryptor
What is Ansible Vault used for?
Ansible Vault is used to protect sensitive values in automation workflows. Common use cases include storing database passwords, SSH keys, API tokens, and cloud credentials inside encrypted Ansible playbooks or variable files.
Which Ansible Vault version and cipher does this tool support?
This tool supports Ansible Vault format version 1.1 using AES256 (AES-256-CTR with PBKDF2-HMAC-SHA256 key derivation). This is the default format used by Ansible when running ansible-vault encrypt.
Is my vault password or secret data sent to any server?
No. All encryption and decryption runs entirely in your browser using the Web Crypto API. Your vault password and plaintext never leave your device.
Can I decrypt a vault string created by the official Ansible CLI?
Yes. Vault strings created with ansible-vault encrypt or ansible-vault encrypt_string can be decrypted here using the same password, as long as the format is 1.1 AES256.
Can I use the encrypted output directly in an Ansible playbook?
Yes. The encrypted output produced by this tool is fully compatible with Ansible. You can paste it into a vars file or playbook and Ansible will decrypt it at runtime using the vault password.
What does HMAC verification failed mean?
This error means either the vault password is incorrect or the vault text has been modified or corrupted. Ansible uses HMAC-SHA256 to verify integrity before decrypting, so any mismatch in the password or content will trigger this error.