Once a file has been encrypted with ansible-vault, it cannot be directly edited. Opening the file in an editor would result in the encrypted data being shown. Making any changes to the file would damage the file and Ansible would be unable to read the contents correctly. We need a subcommand that will first decrypt the contents of a file, allow us to edit those contents, and then encrypt the new contents before saving it back to the file. Such a subcommand exists in edit, as shown in the following screenshot:
As we've already seen, our editor opens up with our content in plain text visible to us. All of our familiar vault-id options are back, as before, as well as the file to edit. As such, we can now edit the file we just encrypted using the following command:
Notice that ansible-vault opens our editor with a temporary file as the file path. The editor will save this, and then ansible-vault will encrypt it and move it to replace the original file, as shown in the following screenshot:
The temporary file you can see in the editor window (/tmp/tmpVvcJBK.yaml) will be removed once the file is successfully encrypted by ansible-vault.