diff --git a/deploy.yml b/deploy.yml
index 3271139..cfe2681 100644
--- a/deploy.yml
+++ b/deploy.yml
@@ -146,8 +146,12 @@
   become: true
   post_tasks:
     - name: lbu commit
-      lbu:
-        commit: true
+      # I use the shell module instead of the lbu one because the lbu module
+      # doesn't seem to work with encryption
+      shell:
+        cmd: lbu commit
+      environment:
+        PASSWORD: '{{ lbu_password }}'
       when: ansible_distribution == "Alpine" and alpine_mode in ["diskless", "data"]
 
 - name: mount ro
diff --git a/host_vars/suricata/main.yml b/host_vars/suricata/main.yml
new file mode 100644
index 0000000..304a7df
--- /dev/null
+++ b/host_vars/suricata/main.yml
@@ -0,0 +1,8 @@
+---
+lbu_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38393166366336363734333231633439656233616534303566353830396537346161656162353635
+          3735383436396566336430626439653331396434346232650a373830646233303061313139373834
+          39626462666363613430653932313866363037333166653839383332323035653231303634343830
+          3933313132393734660a336263323931326466643162343430623339313661393665336261313937
+          34386134643736623534363538343439656262616436306130363033363735396261