diff --git a/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2 b/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2
index 887cc6b44..847c679bd 100644
--- a/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2
+++ b/etc/kayobe/ansible/templates/wazuh-secrets.yml.j2
@@ -7,7 +7,7 @@ secrets_wazuh:
   # Strengthen default wazuh api user pass
   wazuh_api_users:
     - username: "wazuh"
-      password: "{{ secrets_wazuh.wazuh_api_users[0].password | default(lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1, length=30)) }}"
+      password: '{{ secrets_wazuh.wazuh_api_users[0].password | default(lookup("community.general.random_string", min_lower=1, min_upper=1, min_special=1, min_numeric=1, length=30, override_special=override_special_characters)) }}'
   # OpenSearch 'admin' user pass
   opendistro_admin_password: "{{ secrets_wazuh.opendistro_admin_password | default(lookup('password', '/dev/null'), true) }}"
   # OpenSearch 'kibanaserver' user pass
diff --git a/etc/kayobe/ansible/wazuh-secrets.yml b/etc/kayobe/ansible/wazuh-secrets.yml
index a1b725aba..67897ba4c 100644
--- a/etc/kayobe/ansible/wazuh-secrets.yml
+++ b/etc/kayobe/ansible/wazuh-secrets.yml
@@ -3,6 +3,7 @@
   gather_facts: false
   vars:
     wazuh_secrets_path: "{{ kayobe_env_config_path }}/wazuh-secrets.yml"
+    override_special_characters: '"#$%&()*+,-./:;<=>?@[\]^_{|}~'
   tasks:
     - name: install passlib[bcrypt]
       pip:
@@ -14,13 +15,36 @@
         path: "{{ wazuh_secrets_path | dirname }}"
         state: directory
 
+    - name: Check whether wazuh-secrets.yml exists
+      stat:
+        path: "{{ wazuh_secrets_path }}"
+      register: waz_exist_result
+
+    - name: Check if secret is encrypted
+      block:
+        - name: Try to decrypt secret
+          no_log: True
+          copy:
+            content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
+            dest: "{{ wazuh_secrets_path }}"
+            decrypt: True
+          vars:
+            ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
+      rescue:
+        - name: Secrets already decrypted
+          ansible.builtin.debug:
+            msg: 'Secret was already decrypted'
+      when: waz_exist_result.stat.exists
+
     - name: Template new secrets
       no_log: True
       template:
         src: wazuh-secrets.yml.j2
         dest: "{{ wazuh_secrets_path }}"
+      when: not waz_exist_result.stat.exists
 
     - name: In-place encrypt wazuh-secrets
+      no_log: True
       copy:
         content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
         dest: "{{ wazuh_secrets_path }}"