cfctl provides file encryption/decryption implementation as per ansible-vault 1.1 spec. The encrypted files are interchangable with ansible-vault, in other words, the files encrypted by cfctl or ansible-vault can be decrypted by either one of them.
The password lookup order is defined as below:
- CLI option
--vault-password - CLI option
--vault-password-file - Environment variable
CFCTL_VAULT_PASSWORD - Environment variable
CFCTL_VAULT_PASSWORD_FILE - Default password file
$HOME/.cfctl_vault_password - Shell prompt
For decryption, multiple passwords can be seperated by using comma delimiter (,). For example:
password1,password2,password3...
All passwords will be tried until one that works.
Here are some simple examples how to use the command:
# To encrypt
$ cfctl vault encrypt file1
# To decrypt
$ cfctl vault decrypt file1 file2 file3 --password secret