diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2
index 083f3aac31..c3515938bc 100644
--- a/ansible/roles/barbican/templates/barbican.conf.j2
+++ b/ansible/roles/barbican/templates/barbican.conf.j2
@@ -15,6 +15,29 @@ sql_connection = mysql+pymysql://{{ barbican_database_user }}:{{ barbican_databa
 
 transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}
 
+# ================= Secret Store Plugin ===================
+[secretstore]
+namespace = barbican.secretstore.plugin
+enabled_secretstore_plugins = store_crypto
+
+# ================= Crypto plugin ===================
+[crypto]
+namespace = barbican.crypto.plugin
+enabled_crypto_plugins = p11_crypto
+
+[p11_crypto_plugin]
+# Path to vendor PKCS11 library
+library_path = '/usr/lib/libCryptoki2_64.so'
+# Password to login to PKCS11 session
+login = '{{ barbican_p11_password }}'
+# Label to identify master KEK in the HSM (must not be the same as HMAC label)
+mkek_label = 'kolla_master_kek'
+# Length in bytes of master KEK
+mkek_length = 32
+# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
+hmac_label = 'kolla_hmac'
+
+
 [keystone_notifications]
 enable = True
 
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index 142d22c3db..425f9a36e7 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -26,6 +26,7 @@ aodh_keystone_password:
 
 barbican_database_password:
 barbican_keystone_password:
+barbican_p11_password:
 
 keystone_admin_password:
 keystone_database_password:
diff --git a/releasenotes/notes/add-barbican-p11-password-a05ed037fe84d1f4.yaml b/releasenotes/notes/add-barbican-p11-password-a05ed037fe84d1f4.yaml
new file mode 100644
index 0000000000..c2a03647b2
--- /dev/null
+++ b/releasenotes/notes/add-barbican-p11-password-a05ed037fe84d1f4.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - Change Barbican default secret store to pkcs11 instead of default one.
+    Add barbican_p11_password to passwords.yml