Skip to content
Latchkey

Ansible Vault "input is not vault encrypted data ... unhexlify" error in CI

Ansible read a file it expected to be vault ciphertext, but the hex body did not decode, so it raised a "Vault format unhexlify error". The header was recognised but the payload is corrupted, usually by an editor or a checkout that rewrote line endings.

What this error means

The run fails with "ERROR! Vault format unhexlify error" or "input is not vault encrypted data" for a file that begins with $ANSIBLE_VAULT;1.1;AES256.

ansible
ERROR! input is not vault encrypted data for /runner/group_vars/prod/vault.yml
ERROR! Vault format unhexlify error: Non-hexadecimal digit found

Common causes

CRLF line endings rewrote the ciphertext

A git autocrlf setting or a Windows editor converted line endings inside the encrypted body, so the hex no longer decodes.

The file was partially edited or truncated

Manual edits to the encrypted block, or a merge that touched the ciphertext, leave bytes that are not valid vault hex.

How to fix it

Restore LF endings for vault files

  1. Mark vault files as binary or force LF in .gitattributes.
  2. Re-check out the file so it is no longer CRLF mangled.
  3. Verify it decrypts with ansible-vault view.
.gitattributes
# .gitattributes
group_vars/**/vault.yml -text

Re-encrypt from a known-good source

If the ciphertext is truly corrupted, re-create the file from the plaintext source and encrypt it again.

Terminal
ansible-vault encrypt group_vars/prod/vault.yml --vault-password-file .vault_pass

How to prevent it

  • Force LF line endings for vault files via .gitattributes.
  • Never hand-edit the encrypted block; use ansible-vault edit.
  • Verify vault files decrypt in CI before deploy tasks run.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →