ansible-vault CLI reimplemented in go

Readme Card

ansible-vault CLI reimplemented in go

ansible-vault is a very powerful tool and we wanted to simplifying the install and management of the tool as a standalone, cross platform tool.

Basic Usage

Please see the docs for details on the commands.

Use in place of ansible-vault. All commands are reimplemented. The tool will default to asking for your Vault password.

$ gwvault -h
   gwvault - encryption/decryption utility for Ansible data files

   main [global options] command [command options] [arguments...]

   encrypt                            encrypt file
   decrypt                            decrypt file
   edit                               edit file and re-encrypt
   rekey                              alter encryption password and re-encrypt
   create                             create a new encrypted file
   view                               view inputs of encrypted file
   encrypt_string, av_encrypt_string  encrypt provided string, output in ansible-vault format
   install-manpage                    Generate and install man page
   version, v                         Print version info
   help, h                            Shows a list of commands or help for one command

   --vault-password-file VAULT_PASSWORD_FILE          vault password file VAULT_PASSWORD_FILE
   --new-vault-password-file NEW_VAULT_PASSWORD_FILE  new vault password file for rekey NEW_VAULT_PASSWORD_FILE
   --help, -h                                         show help (default: false)


asdf plugin

Add plugin:

$ asdf plugin add gwvault

Install the latest version:

$ asdf install gwvault latest

Homebrew (for macOS users)

brew tap GoodwayGroup/gwvault
brew install gwvault

curl binary

$ curl! | bash


The compiled docker images are maintained on GitHub Container Registry ( We maintain the following tags:

  • edge: Image that is build from the current HEAD of the main line branch.
  • latest: Image that is built from the latest released version
  • x.y.z (versions): Images that are build from the tagged versions within Github.
docker pull
docker run -v "$PWD":/workdir --version

man page

To install man page:

$ gwvault install-manpage


Benchmarking done using bench. Execute the benchmark/ script to generate a new benchmark.

As compared to ansible-vault (v2.9.11 on python v3.8.5), typical actions take a 80% less time to complete.

Action ansible-vault gwvault
encrypt 482 ms 94 ms
decrypt 499 ms 96 ms
rekey 650 ms 162 ms
encrypt_string 429 ms 64 ms
encrypt + decrypt 1,087 ms 168 ms

See ./benchmark/results.html for a detailed breakdown of the results after running the benchmark.

Built With



This will update docs, changelog, add the tag, push main and the tag to the repo. The goreleaser action will publish the binaries to the Github Release.

If you want to simulate the goreleaser process, run the following command:

$ curl -sL | bash -s -- --rm-dist --skip-publish --snapshot


Please read for details on our code of conduct, and the process for submitting pull requests to us.

  1. Fork the GoodwayGroup/gwvault repo
  2. Use go >= 1.16
  3. Branch & Code
  4. Run linters :broom: golangci-lint run
  5. Commit with a Conventional Commit
  6. Open a PR


We employ git-chglog to manage the For the versions available, see the tags on this repository.


See also the list of contributors who participated in this project.


This project is licensed under the MIT License - see the LICENSE file for details