diff --git a/barbican/api/controllers/__init__.py b/barbican/api/controllers/__init__.py
index 967f6517e..e4af34b5e 100644
--- a/barbican/api/controllers/__init__.py
+++ b/barbican/api/controllers/__init__.py
@@ -11,6 +11,7 @@
 #  under the License.
 import collections
 
+from oslo_policy import policy
 import pecan
 from webob import exc
 
@@ -103,6 +104,13 @@ def handle_exceptions(operation_name=u._('System')):
             except exc.HTTPError:
                 LOG.exception(u._LE('Webob error seen'))
                 raise  # Already converted to Webob exception, just reraise
+            # In case PolicyNotAuthorized, we do not want to expose payload by
+            # logging exception, so just LOG.error
+            except policy.PolicyNotAuthorized as pna:
+                status, message = api.generate_safe_exception_message(
+                    operation_name, pna)
+                LOG.error(message)
+                pecan.abort(status, message)
             except Exception as e:
                 # In case intervening modules have disabled logging.
                 LOG.logger.disabled = False
diff --git a/barbican/plugin/crypto/simple_crypto.py b/barbican/plugin/crypto/simple_crypto.py
index 39983664c..c49d31cfa 100644
--- a/barbican/plugin/crypto/simple_crypto.py
+++ b/barbican/plugin/crypto/simple_crypto.py
@@ -34,7 +34,7 @@ simple_crypto_plugin_opts = [
     cfg.StrOpt('kek',
                default='dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=',
                help=u._('Key encryption key to be used by Simple Crypto '
-                        'Plugin'))
+                        'Plugin'), secret=True)
 ]
 CONF.register_group(simple_crypto_plugin_group)
 CONF.register_opts(simple_crypto_plugin_opts, group=simple_crypto_plugin_group)