Ansible Vault "input is not vault encrypted data ... unhexlify" error in CI
Ansible read a file it expected to be vault ciphertext, but the hex body did not decode, so it raised a "Vault format unhexlify error". The header was recognised but the payload is corrupted, usually by an editor or a checkout that rewrote line endings.
What this error means
The run fails with "ERROR! Vault format unhexlify error" or "input is not vault encrypted data" for a file that begins with $ANSIBLE_VAULT;1.1;AES256.
ERROR! input is not vault encrypted data for /runner/group_vars/prod/vault.yml
ERROR! Vault format unhexlify error: Non-hexadecimal digit foundCommon causes
CRLF line endings rewrote the ciphertext
A git autocrlf setting or a Windows editor converted line endings inside the encrypted body, so the hex no longer decodes.
The file was partially edited or truncated
Manual edits to the encrypted block, or a merge that touched the ciphertext, leave bytes that are not valid vault hex.
How to fix it
Restore LF endings for vault files
- Mark vault files as binary or force LF in
.gitattributes. - Re-check out the file so it is no longer CRLF mangled.
- Verify it decrypts with
ansible-vault view.
# .gitattributes
group_vars/**/vault.yml -textRe-encrypt from a known-good source
If the ciphertext is truly corrupted, re-create the file from the plaintext source and encrypt it again.
ansible-vault encrypt group_vars/prod/vault.yml --vault-password-file .vault_passHow to prevent it
- Force LF line endings for vault files via
.gitattributes. - Never hand-edit the encrypted block; use
ansible-vault edit. - Verify vault files decrypt in CI before deploy tasks run.