diff --git a/group_vars/pyrocufflink/root-password b/group_vars/pyrocufflink/root-password
deleted file mode 100644
index 74957a3..0000000
--- a/group_vars/pyrocufflink/root-password
+++ /dev/null
@@ -1,15 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-61356562653238383736396230336365316334303632343731303938326232336566653863376332
-3533306661663236613836643137656339633534653732340a303636616465616563353530373738
-31303965383836653831366632323366356631303436323132613731326534393730373036363761
-3532633438353364650a356137383232316131653638383465616337373139396266316633343930
-39356137363036663536646436363135353431396433366163666664376164353838316466653165
-61343738326232393366646361383263633532613630663835623365616233646634373432343731
-39353462643438316636353539353035323639623031346665646437636366363637383530343034
-65346538363733303339313130613639663566396435336564326432333461323332336239323435
-62336166386431383936306664663163373939316433373233643134303438656137303735656434
-33343438653733663238316134393632376666306530376464616535623732363162396634623963
-66616534636439343135313630643735623063376231393961643961356231303536626361383636
-31386131353836333432376461343736653964393030656135333337393966363136613438663439
-66316363393334666336623736613437616637306235656532366231623666313332343665616561
-3835633439353139626438663263343865383863663832623437
diff --git a/group_vars/pyrocufflink/root-password.yml b/group_vars/pyrocufflink/root-password.yml
new file mode 100644
index 0000000..6c986fb
--- /dev/null
+++ b/group_vars/pyrocufflink/root-password.yml
@@ -0,0 +1,17 @@
+root_password: |
+  -----BEGIN AGE ENCRYPTED FILE-----
+  YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSY3JZdjhyKzhVYUloZ1Vn
+  Y1NZSHVaNDJLRjZBVkdvNHhSR2d5Q0JMc3djCmszc0ozTFVObFBhWEl4WExYd3pp
+  d2IzSGExUlI3eGtDOTBJejRjTWoveDgKLS0tIHNxa1NMYmduM2ZDWHNKWUw0M21N
+  Z1J3MU10bXRmendiN2M1VWVxb1Brc1EKslZr6qvtp1RCGl2+9fbuHY34+qS5xQRE
+  BqegwvR31NA1/I3ULLEmem7/ysdH/qWemlSvkIhmITExDTiNQ7IWiw==
+  -----END AGE ENCRYPTED FILE-----
+root_password_hash: >-
+  {{
+    root_password
+    | decrypt
+    | password_hash(
+        'sha512',
+        65534 | random(seed=inventory_hostname) | string
+    )
+  }}