When enabled, the connection strings and passwords usually visible as plain text in the configuration file are encrypted. The excerpt below shows how the information is replaced with a $$vault$$ placeholder; this information is encrypted/decrypted implicitly, when required at run time.
MFDBFH_VAULT=<vault-name>
dbfhconfig -vault -file:<file-name>
<datastores usevault="true"> <server name="localhost:50000" type="db2" access="odbc"> <dsn name="DB2.VSAM" type="datastore" dsname="VSAM" optio="none +ooseq" dbname="MYMFFILS" connect="$$vault$$"/> <dsn name="DB2.SEQ" type="datastore" dsname="VSAM" optio="none +ooseq" bitism:"32" userid="db2admin" password="$$vault$$"/> <dsn name="DB2.ESDEMO" type="region.cas" region="ESDEMO" feature="all" dbname="MYMFFILS" connect="$$vault$$"/> <dsn name="DB2.CROSSREGION" type="crossregion.cas" dsname="$XREGN$" dbname="MYMFFILS" connect="$$vault$$"/> </server> </datastores>