diff --git a/manifests/plugins/kmip.pp b/manifests/plugins/kmip.pp
new file mode 100644
index 00000000..0e2167ae
--- /dev/null
+++ b/manifests/plugins/kmip.pp
@@ -0,0 +1,85 @@
+# == Class: barbican::plugins::kmip
+#
+# Sets up Barbican API kmip secret_store plugin
+#
+# === Parameters
+#
+# [*kmip_plugin_username*]
+#   (optional) username for KMIP device
+#   Required if kmip_plugin is enabled.
+#   Defaults to undef
+#
+# [*kmip_plugin_password*]
+#   (optional) password for KMIP device
+#   Required if kmip_plugin is enabled.
+#   Defaults to undef
+#
+# [*kmip_plugin_host*]
+#   (optional) username for KMIP device
+#   Defaults to undef
+#
+# [*kmip_plugin_port*]
+#   (optional) port for KMIP device
+#   Defaults to undef
+#
+# [*kmip_plugin_keyfile*]
+#   (optional) key file for KMIP device
+#   Defaults to undef
+#
+# [*kmip_plugin_certfile*]
+#   (optional) cert file for KMIP device
+#   Defaults to undef
+#
+# [*kmip_plugin_ca_certs*]
+#   (optional) ca certs file for KMIP device
+#   Defaults to undef
+#
+class barbican::plugins::kmip (
+  $kmip_plugin_username = undef,
+  $kmip_plugin_password = undef,
+  $kmip_plugin_host     = undef,
+  $kmip_plugin_port     = undef,
+  $kmip_plugin_keyfile  = undef,
+  $kmip_plugin_certfile = undef,
+  $kmip_plugin_ca_certs = undef,
+) {
+
+  if $kmip_plugin_host == undef {
+    fail('kmip_plugin_host must be defined')
+  }
+  if $kmip_plugin_port == undef {
+    fail('kmip_plugin_port must be defined')
+  }
+  if $kmip_plugin_username != undef {
+    if $kmip_plugin_password == undef {
+      fail('kmip_plugin_password must be defined if kmip_plugin_username is defined')
+    }
+  } else {
+    if $kmip_plugin_certfile == undef {
+      fail('kmip_plugin_certfile must be defined')
+    }
+    if $kmip_plugin_keyfile == undef {
+      fail('kmip_plugin_keyfile must be defined')
+    }
+    if $kmip_plugin_ca_certs == undef {
+      fail('kmip_plugin_ca_certs must be defined')
+    }
+  }
+
+  if $kmip_plugin_username != undef {
+    barbican_config {
+      'kmip_plugin/username': value => $kmip_plugin_username;
+      'kmip_plugin/password': value => $kmip_plugin_password;
+      'kmip_plugin/host':     value => $kmip_plugin_host;
+      'kmip_plugin/port':     value => $kmip_plugin_port;
+    }
+  } else {
+    barbican_config {
+      'kmip_plugin/keyfile':  value => $kmip_plugin_keyfile;
+      'kmip_plugin/certfile': value => $kmip_plugin_certfile;
+      'kmip_plugin/ca_certs': value => $kmip_plugin_ca_certs;
+      'kmip_plugin/host':     value => $kmip_plugin_host;
+      'kmip_plugin/port':     value => $kmip_plugin_port;
+    }
+  }
+}
diff --git a/spec/classes/barbican_plugins_kmip_spec.rb b/spec/classes/barbican_plugins_kmip_spec.rb
new file mode 100644
index 00000000..50b6c70d
--- /dev/null
+++ b/spec/classes/barbican_plugins_kmip_spec.rb
@@ -0,0 +1,61 @@
+require 'spec_helper'
+
+describe 'barbican::plugins::kmip' do
+
+  let :facts do
+    @default_facts.merge(
+      {
+        :osfamily       => 'RedHat',
+        :processorcount => '7',
+      }
+    )
+  end
+
+  describe 'with kmip plugin with username' do
+    let :params do
+      {
+        :kmip_plugin_username      => 'kmip_user',
+        :kmip_plugin_password      => 'kmip_password',
+        :kmip_plugin_host          => 'kmip_host',
+        :kmip_plugin_port          => 9000,
+      }
+    end
+
+    it 'is_expected.to set kmip parameters' do
+      is_expected.to contain_barbican_config('kmip_plugin/host')\
+        .with_value(params[:kmip_plugin_host])
+      is_expected.to contain_barbican_config('kmip_plugin/port')\
+        .with_value(params[:kmip_plugin_port])
+      is_expected.to contain_barbican_config('kmip_plugin/username')\
+        .with_value(params[:kmip_plugin_username])
+      is_expected.to contain_barbican_config('kmip_plugin/password')\
+        .with_value(params[:kmip_plugin_password])
+    end
+  end
+
+  describe 'with kmip plugin with certificate' do
+    let :params do
+      {
+        :kmip_plugin_keyfile       => 'key_file',
+        :kmip_plugin_certfile      => 'cert_file',
+        :kmip_plugin_ca_certs      => 'ca_cert_file',
+        :kmip_plugin_host          => 'kmip_host',
+        :kmip_plugin_port          => 9000,
+      }
+    end
+
+    it 'is_expected.to set kmip parameters' do
+      is_expected.to contain_barbican_config('kmip_plugin/keyfile')\
+        .with_value(params[:kmip_plugin_keyfile])
+      is_expected.to contain_barbican_config('kmip_plugin/certfile')\
+        .with_value(params[:kmip_plugin_certfile])
+      is_expected.to contain_barbican_config('kmip_plugin/ca_certs')\
+        .with_value(params[:kmip_plugin_ca_certs])
+      is_expected.to contain_barbican_config('kmip_plugin/host')\
+        .with_value(params[:kmip_plugin_host])
+      is_expected.to contain_barbican_config('kmip_plugin/port')\
+        .with_value(params[:kmip_plugin_port])
+    end
+  end
+end
+