diff --git a/glossary.rst b/glossary.rst
index 8749c6b..3c154fa 100644
--- a/glossary.rst
+++ b/glossary.rst
@@ -199,6 +199,17 @@ Glossary
            $ cd ${ANSIBLE_REPO}
            $ ansible-vault edit secrets.yml
 
+       Encrypt a file::
+
+           $ cd ${ANSIBLE_REPO}
+           $ ansible-vault encrypt --encrypt-vault-id ops ${PATH_TO_FILE}
+
+       .. tip::
+
+          When an encrypted file needs to be available in the server config
+          as well as from within ``/tocco/`` or ``/services/``, use
+          ``--encrypted-vault-id dev``.
+
     secrets2.yml
 
        Used to store passwords, API keys and other secrets. Encrypted using
@@ -218,6 +229,15 @@ Glossary
            $ cd ${ANSIBLE_REPO}/tocco
            $ ansible-vault edit  secrets2.yml
 
+       Encrypt a file::
+
+           $ cd ${ANSIBLE_REPO}/tocco
+           $ ansible-vault encrypt --encrypt-vault-id dev ${PATH_TO_FILE}
+
+       .. note::
+
+           *secrets2.yml* is also used by services defined in ``/services/``.
+
     service
     SVC
         Used to make a service available in the network. It provides a DNS name for a service in a way that hides the