We are looking to increase security in our switches while also creating an automated process to backup configuration files. Current STIGS recommend using a few commands to auto backup to a tftp server after every configuration change. This is great BUT its an insecure protocol. We would like to use SCP/SFTP for this process but this requires entering a password every time which removes the automated aspect. To circumvent this, we attempted to use archive with the path scp://user:pass. NOW, the issue here is that the running configuration shows the plaintext password and to my knowledge, the service password-encryption command does not do anything to hide these types of passwords. Is there a fix or alternative to this? Is there a way to have ansible pull configs with a service account, using the vault command to encrypt the password in the config?