Yes, we are using Ansible Vault to encrypt our passwords.yml, and all sensitive values are stored encrypted in that file. However, our concern is that—even though the secrets are encrypted at deployment time—they still end up as plaintext in the final config files inside the containers (e.g., nova.conf). As highlighted in the OpenStack Summit talk, there's an initiative to improve secret handling by avoiding storing passwords directly in service configuration files, even on disk. Instead, passwords would be referenced or pulled dynamically from a secure external source, such as Barbican or HashiCorp Vault, via Castellan integration. So while encrypting passwords.yml with Ansible Vault is a good first step, we're interested in going further — specifically, preventing plaintext secrets from appearing in config files altogether, as part of a more secure design. Thanks in advance!