- use ansible vault - encrypt and decrypt tfstate files - decrypt when opening the container, encrypt when leaving - use vault credentials to host enc passphrase(s)
