diff --git a/92_heira/.gitignore b/92_heira/.gitignore
new file mode 100644
index 0000000..9c99177
--- /dev/null
+++ b/92_heira/.gitignore
@@ -0,0 +1,2 @@
+keys
+data
\ No newline at end of file
diff --git a/92_heira/Dockerfile b/92_heira/Dockerfile
new file mode 100644
index 0000000..96d5658
--- /dev/null
+++ b/92_heira/Dockerfile
@@ -0,0 +1,53 @@
+FROM ubuntu:24.04
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    wget \
+    gnupg \
+    jq \
+    lsb-release \
+    ruby \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl -fsSLo /tmp/puppet8-release.deb https://apt.puppet.com/puppet8-release-noble.deb \
+    && dpkg -i /tmp/puppet8-release.deb \
+    && rm /tmp/puppet8-release.deb \
+    && apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y puppet-agent \
+    && rm -rf /var/lib/apt/lists/*
+
+#RUN gem install hiera-eyaml
+
+ENV PATH="/opt/puppetlabs/bin:/opt/puppetlabs/puppet/bin:${PATH}"
+
+COPY --chmod=755 <<EOF /bin/install_task.sh
+#!/usr/bin/env bash
+# Install Taskfile (Task)
+echo "Installing Taskfile..."
+TASK_VERSION=$(curl -s https://api.github.com/repos/go-task/task/releases/latest | grep '"tag_name":' | cut -d '"' -f 4)
+if [ -n "\$TASK_VERSION" ]; then
+    TMP_DIR=$(mktemp -d)
+    cd "\$TMP_DIR" || exit 1
+    if wget -q "https://github.com/go-task/task/releases/download/\${TASK_VERSION}/task_linux_amd64.tar.gz"; then
+        tar -xzf "task_linux_amd64.tar.gz"
+        mv task /usr/local/bin/
+        chmod +x /usr/local/bin/task
+        cd - > /dev/null || exit 1
+        rm -rf "\$TMP_DIR"
+        echo "Taskfile installed: $(task --version)"
+    else
+        cd - > /dev/null || exit 1
+        rm -rf "\$TMP_DIR"
+        echo "Warning: Taskfile download failed. Skipping..."
+    fi
+else
+    echo "Warning: Could not determine Taskfile version. Skipping..."
+fi
+EOF
+
+RUN /bin/install_task.sh
+# && rm /bin/install_task.sh
+
+WORKDIR /work
diff --git a/92_heira/README.md b/92_heira/README.md
new file mode 100644
index 0000000..4937a66
--- /dev/null
+++ b/92_heira/README.md
@@ -0,0 +1,37 @@
+# HEIRA
+
+Demonstrate heira secrets.  
+
+NOTES:
+
+* Do not use global `ruby`
+
+## Prereqs
+
+```sh
+brew install go-task
+```
+
+## Start
+
+```sh
+task docker-build
+task docker-run
+```
+
+## EYAML
+
+```sh
+eyaml --version
+
+# encrypt
+task heira-encryptintojson EXAMPLE_SECRET="helloworld"
+
+# decrypt
+task heira-decryptfromjson  
+```
+
+## Resources
+
+* https://accenture.github.io/blog/2018/11/13/introducing_hiera_aws_sm.html
+* https://taskfile.dev/
\ No newline at end of file
diff --git a/92_heira/Taskfile.yml b/92_heira/Taskfile.yml
new file mode 100644
index 0000000..5169638
--- /dev/null
+++ b/92_heira/Taskfile.yml
@@ -0,0 +1,69 @@
+version: '3'
+
+vars:
+  EXAMPLE_SECRET: "heira_example_value"
+
+tasks:
+  docker-build:
+    desc: Build the docker image
+    cmds:
+      - docker build -t heira_example .
+
+  docker-run:
+    desc: Run the docker image
+    deps:
+      - docker-build
+    cmds:
+      - docker run -it --volume "$(pwd):/work" heira_example
+
+  heira-createkeys:
+    desc: Create heira encryption keys
+    cmds:
+      - eyaml createkeys --pkcs7-private-key=keys/private_key.pkcs7.pem --pkcs7-public-key=keys/public_key.pkcs7.pem
+    preconditions:
+      - sh: command -v eyaml >/dev/null
+        msg: "heira must be installed"
+
+
+  heira-encryptsecret:
+    desc: Encrypt a secret using heira
+    cmds:
+      - eyaml encrypt -s '$EXAMPLE_SECRET' --pkcs7-public-key=keys/public_key.pkcs7.pem --pkcs7-private-key=keys/private_key.pkcs7.pem
+
+  heira-decryptsecret:
+    desc: Decrypt a secret using heira
+    cmds:
+      - eyaml decrypt -s '$EXAMPLE_SECRET' --pkcs7-public-key=keys/public_key.pkcs7.pem --pkcs7-private-key=keys/private_key.pkcs7.pem
+
+
+  heira-encryptintojson:
+    desc: Encrypt a secret using heira into json format
+    vars:
+      EXAMPLE_SECRET: '{{.EXAMPLE_SECRET | default "example-secret"}}'
+    cmds:
+      - |
+        set -euo pipefail
+        mkdir -p ./data
+        echo '{}' > ./data/secrets.json
+        ENC=$(eyaml encrypt -o string -s '{{ .EXAMPLE_SECRET }}' --pkcs7-public-key=keys/public_key.pkcs7.pem --pkcs7-private-key=keys/private_key.pkcs7.pem)
+        echo "$ENC"
+        jq --arg enc "$ENC" '.password = $enc' ./data/secrets.json > ./data/secrets.tmp
+        mv ./data/secrets.tmp ./data/secrets.json
+        cat ./data/secrets.json
+
+    preconditions:
+      - sh: command -v eyaml >/dev/null
+        msg: "heira must be installed"
+
+  heira-decryptfromjson:
+    desc: Decrypt the password stored in ./data/secrets.json
+    cmds:
+      - |
+        set -euo pipefail
+        ENC=$(jq -er '.password' ./data/secrets.json)
+        eyaml decrypt -s "$ENC" --pkcs7-public-key=keys/public_key.pkcs7.pem --pkcs7-private-key=keys/private_key.pkcs7.pem
+    preconditions:
+      - sh: command -v eyaml >/dev/null
+        msg: "heira must be installed"
+      - sh: test -f ./data/secrets.json
+        msg: "./data/secrets.json not found"
diff --git a/93_taskfile/README.md b/93_taskfile/README.md
new file mode 100644
index 0000000..f7a7f61
--- /dev/null
+++ b/93_taskfile/README.md
@@ -0,0 +1,27 @@
+# TASKFILE
+
+## Install
+
+```sh
+brew install go-task
+```
+
+## Examples
+
+```sh
+# list all tasks
+task --list-all
+
+# use defaults
+task hello
+
+# override
+task hello NAME="CHRIS"
+
+# will fail
+task hello NAME="CHRIS7"
+```
+
+## Resources
+
+* https://taskfile.dev/
diff --git a/93_taskfile/Taskfile.yml b/93_taskfile/Taskfile.yml
new file mode 100644
index 0000000..19dc88f
--- /dev/null
+++ b/93_taskfile/Taskfile.yml
@@ -0,0 +1,16 @@
+version: '3'
+
+vars:
+  NAME: "Chris"
+
+tasks:
+  hello:
+    desc: 'Print a greeting using NAME'
+    preconditions:
+      - sh: '[[ "{{.NAME}}" =~ ^[A-Za-z]+$ ]]'
+        msg: 'NAME must contain letters only'
+    vars:
+      MESSAGE: 'Hello {{.NAME | default "World"}}!'
+    cmds:
+      - 'echo {{.MESSAGE}}'
+  
\ No newline at end of file