diff --git a/changelogs/fragments/73263-shadow-encrypt-string.yml b/changelogs/fragments/73263-shadow-encrypt-string.yml
new file mode 100644
index 00000000000..3903b3948bf
--- /dev/null
+++ b/changelogs/fragments/73263-shadow-encrypt-string.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- "Shadow prompt input to ansible-vault encrypt-string unless the ``--show-input`` flag is set"
\ No newline at end of file
diff --git a/lib/ansible/cli/vault.py b/lib/ansible/cli/vault.py
index 0425a1a3e1a..e08a3bb4613 100644
--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@@ -99,6 +99,8 @@ class VaultCLI(CLI):
         enc_str_parser.add_argument('-p', '--prompt', dest='encrypt_string_prompt',
                                     action='store_true',
                                     help="Prompt for the string to encrypt")
+        enc_str_parser.add_argument('--show-input', dest='show_string_input', default=False, action='store_true',
+                                    help='Do not hide input when prompted for the string to encrypt')
         enc_str_parser.add_argument('-n', '--name', dest='encrypt_string_names',
                                     action='append',
                                     help="Specify the variable name")
@@ -300,8 +302,13 @@ class VaultCLI(CLI):
 
             # TODO: could prompt for which vault_id to use for each plaintext string
             #       currently, it will just be the default
-            # could use private=True for shadowed input if useful
-            prompt_response = display.prompt(msg)
+            hide_input = not context.CLIARGS['show_string_input']
+            if hide_input:
+                msg = "String to encrypt (hidden): "
+            else:
+                msg = "String to encrypt:"
+
+            prompt_response = display.prompt(msg, private=hide_input)
 
             if prompt_response == '':
                 raise AnsibleOptionsError('The plaintext provided from the prompt was empty, not encrypting')
diff --git a/test/units/cli/test_vault.py b/test/units/cli/test_vault.py
index 9f2ba6853d7..bb244a5ae78 100644
--- a/test/units/cli/test_vault.py
+++ b/test/units/cli/test_vault.py
@@ -108,9 +108,26 @@ class TestVaultCli(unittest.TestCase):
         cli = VaultCLI(args=['ansible-vault',
                              'encrypt_string',
                              '--prompt',
+                             '--show-input',
                              'some string to encrypt'])
         cli.parse()
         cli.run()
+        args, kwargs = mock_display.call_args
+        assert kwargs["private"] is False
+
+    @patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
+    @patch('ansible.cli.vault.VaultEditor')
+    @patch('ansible.cli.vault.display.prompt', return_value='a_prompt')
+    def test_shadowed_encrypt_string_prompt(self, mock_display, mock_vault_editor, mock_setup_vault_secrets):
+        mock_setup_vault_secrets.return_value = [('default', TextVaultSecret('password'))]
+        cli = VaultCLI(args=['ansible-vault',
+                             'encrypt_string',
+                             '--prompt',
+                             'some string to encrypt'])
+        cli.parse()
+        cli.run()
+        args, kwargs = mock_display.call_args
+        assert kwargs["private"]
 
     @patch('ansible.cli.vault.VaultCLI.setup_vault_secrets')
     @patch('ansible.cli.vault.VaultEditor')