diff --git a/Ansible vault encrypt-decrypt.md b/Ansible vault encrypt-decrypt.md
new file mode 100644
index 0000000..72e19c1
--- /dev/null
+++ b/Ansible vault encrypt-decrypt.md	
@@ -0,0 +1,20 @@
+# Ansible vault encrypt/decrypt
+
+## Encrypt
+Echo passwords through `ansible-vault` into a file.  Provide encryption password when prompted (can be different for each password)
+
+```shell
+printf "%s" <password1> | ansible-vault encrypt_string --stdin-name=<password-name1> > <password-file>.var.yml
+printf "%s" <password2> | ansible-vault encrypt_string --stdin-name=<password-name2> >> <password-file>.var.yml
+...
+```
+
+## Decrypt
+Retrieve a single decrytped password from password file.  Provide encryption password when prompted.
+
+```shell
+ansible localhost -e '@<password-file>.var.yml' --ask-vault-pass -m debug -a 'var=<password-name>'
+```
+
+Tags:
+  howto
\ No newline at end of file