Changing unencrypted vault.yml variables for Ansible Vault encryption

Hi all,

I’ve been learning to use Sage/Bedrock/Trellis on a recent project and all has gone well so far. Currently on the project I’ve been using plain text passwords in the vault.yml files and that includes provisioning and deploying to a staging site.

I now want to make use of the Ansible Vault feature and encrypt these passwords, but there’s a section on the docs I don’t quite understand:

Caution: If you have unencrypted vault.yml
files in your project’s git history (e.g., passwords in plain text),
you will most likely want to change the variable values in your vault.yml files before encrypting them and committing them to your repo.

I don’t understand why I need to change the variable values or what they need to be changed to.


I’m pretty sure the intention of that note is to let you know that even if you committed to a private repo, any plain-text values should be considered “non safe”. So instead of just encrypting the values you already had, you should first generate new ones (which have never been anywhere except your own computer) and then encrypt and push those.

In Git, someone could always go back in your commit history and see the old plain-text values. It is possible to “scrub” Git history but it’s complicated and you should just generate new passwords if possible.


Ah right, thanks for explaining that @swalkinshaw. I’m relatively inexperienced with Git and didn’t really think about the security risks and someone being able to go through the git repo history.