In Calm blueprints a variable marked as Secret is stored in CredHub encrypted and is automatically masked (shown as ) whenever its value is printed in task output or audit logs, including Set-Variable tasks. By converting the variable to a Secret type the sensitive data is no longer exposed, while the blueprint can still reference the variable at run-time.

A. “=secret=” syntax is not recognised by Calm; the platform relies on the Secret variable flag, not a value prefix.

B. Calm is expressly designed to manage sensitive data through Secret variables and credentials; eliminating blueprints is unnecessary.

D. @@{jsonEncode(value)}@@ only produces a JSON-escaped string; it does not encrypt or mask log output.

1. Nutanix Calm 6.5 Administration Guide – “Variables > Secret Variables”, p.103-104: “If Secret is enabled the value is stored encrypted and will be masked in audit or run-time logs.”

2. Nutanix Calm 6.5 Administration Guide – “Viewing Audit Logs”, p.182: “Secret variable values appear as in Set-Variable task output.”

3. Nutanix Calm 3.6 API & CLI Reference – Section 4.2 “CredHub integration for secret variables”.

4. Nutanix University NCP-MCA v6 Courseware – Module 4, Slide 15: “Use Secret variables to prevent sensitive data from appearing in Calm logs.”