[perlgeek]

To be a bit pedantic, all .yml files can be encrypted with ansible-vault, so also playbooks and roles.

There are two things currently that bother me about ansible-vault. The first is that the 'edit' command write a completely new file even if I didn't change anything. And the second is that the diffs in git become useless. I'd love to have a special diff driver for ansible-vault encrypted files that decrypts before diffing when the secret is available.

[Deinumite]

If you use show instead of edit it doesn't re-encrypt the file.

Agreed on the useless diffs however, it makes reviewing pull requests or changes much harder.

[RRRA]

I'm curious, why do you feel the need to encrypt every single file instead of just secrets (to keep reviewing possible)? :)

[Deinumite]

I usually only encrypt var files that contain things like db passwords or something. In our case it made it harder to spot typos in the username for example.

I wouldn't encrypt a whole playbook for example.

[davedx]

We don't encrypt all of the credentials, just the actual passwords.

[RRRA]

Uhm, for me edit brings up vi, I then :q and the file's modification date didn't change?