Over time, as contributors come and go, it is a good idea to rotate the password used to encrypt your secrets. Encryption is only as good as the protection of the password. ansible-vault provides a subcommand that allows us to change the password named rekey, as shown in the following screenshot:
The rekey subcommand operates much like the edit subcommand. It takes in an optional password, file, or executable, and one or more files to rekey. You then need to use the --new-vault-id to define the new password (and ID if required), which again can be through a prompt, file, or executable. Let's rekey our even_more_secrets.yaml file in the following example, and add the dev ID to it:
Remember that all the encrypted files with the same ID need to have a matching key. Be sure to rekey all the files with the same ID at the same time.