diff --git a/Gemfile.lock b/Gemfile.lock
index 99e4b61e..cc3b976f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -75,8 +75,13 @@ GIT
       virtus
 
 GEM
-  remote: https://rubygems.org/
   remote: https://gems.contribsys.com/
+  specs:
+    sidekiq-pro (3.4.0)
+      sidekiq (>= 4.1.5)
+
+GEM
+  remote: https://rubygems.org/
   specs:
     HDRHistogram (0.1.3)
     activemodel (4.2.10)
@@ -91,8 +96,8 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    addressable (2.5.1)
-      public_suffix (~> 2.0, >= 2.0.2)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
     amq-protocol (2.3.0)
     arel (6.0.4)
     atomic (1.1.99)
@@ -157,7 +162,7 @@ GEM
     pry (0.11.3)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (2.0.5)
+    public_suffix (5.0.0)
     rack (2.2.3)
     rack-protection (2.0.1)
       rack
@@ -189,8 +194,6 @@ GEM
       connection_pool (~> 2.2, >= 2.2.0)
       rack-protection (>= 1.5.0)
       redis (~> 3.2, >= 3.2.1)
-    sidekiq-pro (3.4.0)
-      sidekiq (>= 4.1.5)
     thread_safe (0.3.6)
     travis-config (1.1.3)
       hashr (~> 2.0)
diff --git a/lib/travis/scheduler/serialize/worker/config/decrypt.rb b/lib/travis/scheduler/serialize/worker/config/decrypt.rb
index 160bc039..0a9439b6 100644
--- a/lib/travis/scheduler/serialize/worker/config/decrypt.rb
+++ b/lib/travis/scheduler/serialize/worker/config/decrypt.rb
@@ -9,12 +9,18 @@ def apply
                 config[key] = process_env(config[key]) if config[key]
               end
 
+              force_vault_to_be_secure!(config)
+              config[:vault] = decryptor.decrypt(config[:vault]) if config[:vault]
               config[:addons] = decryptor.decrypt(config[:addons]) if config[:addons]
               config
             end
 
             private
 
+              def force_vault_to_be_secure!(config)
+                config[:vault].delete(:token) if config.dig(:vault, :token).is_a?(String)
+              end
+
               def secure_env?
                 !!options[:secure_env]
               end
diff --git a/spec/travis/scheduler/serialize/worker/config_spec.rb b/spec/travis/scheduler/serialize/worker/config_spec.rb
index aec1cfb0..fe2fd553 100644
--- a/spec/travis/scheduler/serialize/worker/config_spec.rb
+++ b/spec/travis/scheduler/serialize/worker/config_spec.rb
@@ -71,6 +71,16 @@ def encrypt(string)
       let(:env)    { [{ FOO: 'foo', BAR: 'bar' }, encrypt('BAZ=baz')] }
       it { should eql env: ['FOO=foo', 'BAR=bar', 'SECURE BAZ=baz'], global_env: ['FOO=foo', 'BAR=bar', 'SECURE BAZ=baz'] }
     end
+
+    describe 'decrypts vault secure token' do
+      let(:config) { { vault: { token: { secure: encrypt('my_key') } } } }
+      it { should eql vault: {token: 'my_key'} }
+    end
+
+    describe 'clears vault unsecure token' do
+      let(:config) { { vault: { token:  'my_key' } }  }
+      it { should eql vault: {} }
+    end
   end
 
   describe 'with secure env disabled' do