You can do this very neatly, so that the normal git tools like git log and git diff can see inside the vaulted files, using a custom git diff driver and .gitattributes.
- Make sure that your vault password is in
.vault_passwordand that that file is not committed – you should also add it to.gitignore. -
Add a
.gitattributesfile that matches any files in your repository that are encrypted with ansible-vault and give them the attributediff=ansible-vault. For example, I have:env_vars/production.yml diff=ansible-vault merge=binary env_vars/staging.yml diff=ansible-vault merge=binaryYou can also use wildcarded patterns – the first element of each line, the pattern, follows the same rules as
.gitignorefiles. Themerge=binaryoption tells git not to attempt to do a three-way merge of these files. -
Then you have to set the diff driver for files with attribute
diff=ansible-vaulttoansible-vault view:git config --global diff.ansible-vault.textconv "ansible-vault view"
And that should be it – when git is calculating diffs of the files your pattern matches, it’ll decrypt them first.