diff --git a/README.md b/README.md
index 7bc36aa..9a4d7d2 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,10 @@ a Raspberry Pi to its intended configuration state.  Add your Raspberry Pi's MAC
 address (specifically for `eth0` if your RPi has multiple NICs) to that
 structure and set its configuration accordingly.
 
+To add local users, create and edit `roles/common/vars/users.yml`.  Follow the
+structure in `roles/common/vars/users.yml.example`.  You can/should
+`ansible-vault` this file.
+
 ## Running the playbook
 
 Then run the playbook:
diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml
index 8f5ad0f..20cdb3d 100644
--- a/roles/common/tasks/users.yml
+++ b/roles/common/tasks/users.yml
@@ -11,6 +11,12 @@
 #  command: "/bin/true"
 #  changed_when: false
 
+- name: import user configs
+  include_vars:
+    file: vars/users.yml
+  tags:
+    - users
+
 ### Create user accounts
 - name: create users
   user: name="{{ item.name }}"
diff --git a/roles/common/vars/main.yml b/roles/common/vars/main.yml
index af382c0..0e68e8d 100644
--- a/roles/common/vars/main.yml
+++ b/roles/common/vars/main.yml
@@ -65,14 +65,3 @@ macaddrs:
           - "w3m"
           - "irssi"
           - "screen"
-
-### Users that must be present on the system
-create_users:
-  - name: glock
-    comment: "Glenn K. Lockwood"
-    uid: 1024
-    group: users
-    # don't include the group from 'group:' above in the 'groups:' below; this
-    # breaks idempotency for some reason
-    groups: "adm,dialout,sudo,audio,video,plugdev,games,input,netdev,spi,i2c,gpio"
-    pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjx1Fevx4XODj8pJy/qRZDwQCRwNl0tJ3gWlDy1dB/AtdapVh5XYDUI99R+JqqzGgME9Bif6p1K6bqClLQh7MeY57L9IyjtqBF2t6/vNeKdOYDYQcBwL1p7vbGNTfKxYF2G4Lw+tRVGr3c+sCvA6r5UUAIhXNXTs7fLZanO6JGwITlJFcxDXPmITEhoXu4yTFqA0j1yp/K7I7dvmlhG/Yq+8P6zTJww1Zpy3aMaJ9gB4KR9jclW67wQZ3kVkFcyJtHXRI/LTzfAitB9W1X0svXysy88DiZsBGm1UmrUuFD3JPRn0SRRYchW5RdZ7MDPYWUDWweZIeuWvWRKzMkB5VJ"
diff --git a/roles/common/vars/users.yml b/roles/common/vars/users.yml
new file mode 100644
index 0000000..eb4d87f
--- /dev/null
+++ b/roles/common/vars/users.yml
@@ -0,0 +1,42 @@
+$ANSIBLE_VAULT;1.1;AES256
+61323338303366613463316430373366303531633166386439353331393038636237316233643037
+3361643863323739633032663666363138383361316666630a613437386264396433326264653635
+61346563633666663438393564623461623066636664363230626562653338613532386463346636
+3766643262643766340a653933646661363436633561626431376663363138636533396661363038
+33653964326366653936353538616239653061306438306130383863393161303064323466303761
+65366431313766373062323534323962386363613061663365343361323162376232356637636230
+64643566643662643863386631303765643163386464626565323966656439613333303733356433
+32393530393335666430396133623432393734643635386166373434323538303033313431326162
+64303434346564626666366638636333363865613763323264666462336565393235336131313662
+61323263316231313238383435383830663566633965366232666332643536633933623136626433
+31316166326331353934646438303437373235636636666163363832613936393434353534643532
+65616164646465313239323439613436653536306664383265353334613436393730353364386538
+37373563663162633537666339303039636562346635393666303233646664383835316434643334
+36373062633665366631316163353963353065326530656439666133666630303937333562333566
+63636431663266653030373533336631613264386464343131306563363531303634366565666338
+30353537633765303963363462613161373837353837633265663537393838613861376166616230
+34306637666266356332373265336566656337316165306537613330333963313037326238366234
+36353838663135303261633834636230663039323136376635373836613364376662383366306262
+63656432353236366336626538363161646365316631363833646562643330386332663835656538
+62363164313135653537633565643063393437643130646637643061313464623735633737653836
+33333539343236306438366265343964303166313333386338653066626133373566336532326630
+64343265363565363834353136353164656263373331333032623531666131626234346332353036
+66633434303439303135343137353065396136616532396131633666663738316433393562333631
+36353866376335376132323933666163373936363233613931653266376133633863366662383136
+36346265376162353636376538316465636332383333303439353361633764613266383135643335
+32623961633837363237613338666332616462333431666433613831653835346332393135383036
+61316261316630326263363631636362386234306565626633343739363338636236306633396231
+34623361343731326137336531303435373037643130626635306435353433383863626237636539
+61613039383630393630636635383730376138383331616265653765373633613032626436363538
+34396232323531633166373161343934396336323633663639353333393036356565353762313434
+32323038633262313434663139616133323762383932323164626633323733666530626239663739
+38386563313565353935636136343237313961653163636463306132636362616165386263626264
+31653137633164386130326132386663643535626135383866313733336637333735393862623839
+66616138636138326465353164623865633161343436353935343930353764623830376564616136
+34616135643735353439366464646565316663316533633335393930653034323830386239353536
+34646437393138663939383766656335613063666134346433383931383938663234383962393839
+64653430383034633761363339353137393531333762623936653132356362396336636463383335
+63323964353033636335636631356163663031303463653761366331376634313432376132303835
+30343064316636393466633365313235333634653164366432346466363764396334363131613034
+37666438376530633464343962636439366630643965323135646365333231323833306235323634
+38353739393530373939666130303738343265343736333732366535353764313335
diff --git a/roles/common/vars/users.yml.example b/roles/common/vars/users.yml.example
new file mode 100644
index 0000000..77dc5c4
--- /dev/null
+++ b/roles/common/vars/users.yml.example
@@ -0,0 +1,13 @@
+# Example of users.yml which you may want to encrypt using ansible-vault.
+#
+# Users that must be present on the system
+#
+create_users:
+  - name: glock
+    comment: "Glenn K. Lockwood"
+    uid: 1024
+    group: users
+    # don't include the group from 'group:' above in the 'groups:' below; this
+    # breaks idempotency for some reason
+    groups: "adm,dialout,sudo,audio,video,plugdev,games,input,netdev,spi,i2c,gpio"
+    pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjx1Fevx4XODj8pJy/qRZDwQCRwNl0tJ3gWlDy1dB/AtdapVh5XYDUI99R+JqqzGgME9Bif6p1K6bqClLQh7MeY57L9IyjtqBF2t6/vNeKdOYDYQcBwL1p7vbGNTfKxYF2G4Lw+tRVGr3c+sCvA6r5UUAIhXNXTs7fLZanO6JGwITlJFcxDXPmITEhoXu4yTFqA0j1yp/K7I7dvmlhG/Yq+8P6zTJww1Zpy3aMaJ9gB4KR9jclW67wQZ3kVkFcyJtHXRI/LTzfAitB9W1X0svXysy88DiZsBGm1UmrUuFD3JPRn0SRRYchW5RdZ7MDPYWUDWweZIeuWvWRKzMkB5VJ"