diff --git a/manifests/compute/libvirt/qemu.pp b/manifests/compute/libvirt/qemu.pp
index 5400e2c23..415e0cad7 100644
--- a/manifests/compute/libvirt/qemu.pp
+++ b/manifests/compute/libvirt/qemu.pp
@@ -33,6 +33,10 @@
 #   NOTE: big files will be stored here
 #   Defaults to undef.
 #
+# [*nbd_tls*]
+#   (optional) Enables TLS for nbd connections.
+#   Defaults to false.
+#
 class nova::compute::libvirt::qemu(
   $configure_qemu     = false,
   $group              = undef,
@@ -40,7 +44,8 @@ class nova::compute::libvirt::qemu(
   $max_processes      = 4096,
   $vnc_tls            = false,
   $vnc_tls_verify     = true,
-  $memory_backing_dir = undef
+  $memory_backing_dir = undef,
+  $nbd_tls            = false
 ){
 
   include ::nova::deps
@@ -63,11 +68,18 @@ class nova::compute::libvirt::qemu(
       $vnc_tls_verify_value = 0
     }
 
+    if $nbd_tls {
+      $nbd_tls_value = 1
+    } else {
+      $nbd_tls_value = 0
+    }
+
     $augues_changes_default = [
       "set max_files ${max_files}",
       "set max_processes ${max_processes}",
       "set vnc_tls ${vnc_tls_value}",
-      "set vnc_tls_x509_verify ${vnc_tls_verify_value}"
+      "set vnc_tls_x509_verify ${vnc_tls_verify_value}",
+      "set nbd_tls ${nbd_tls_value}"
     ]
     if $group and !empty($group) {
       $augues_group_changes = ["set group ${group}"]
@@ -95,7 +107,8 @@ class nova::compute::libvirt::qemu(
         'rm group',
         'rm vnc_tls',
         'rm vnc_tls_x509_verify',
-        'rm memory_backing_dir'
+        'rm memory_backing_dir',
+        'rm nbd_tls'
       ],
       tag     => 'qemu-conf-augeas',
     }
diff --git a/releasenotes/notes/add_qemu_nbd_parameters-f8b975e695d6efd9.yaml b/releasenotes/notes/add_qemu_nbd_parameters-f8b975e695d6efd9.yaml
new file mode 100644
index 000000000..341ecfe29
--- /dev/null
+++ b/releasenotes/notes/add_qemu_nbd_parameters-f8b975e695d6efd9.yaml
@@ -0,0 +1,11 @@
+---
+features:
+  - |
+    Add support for native TLS encryption on NBD for disk migration
+
+    The NBD protocol previously runs in clear text, offering no security
+    protection for the data transferred, unless it is tunnelled over some
+    external transport like SSH. Such tunnelling is inefficient and
+    inconvenient to manage. Support for TLS to the NBD clients & servers
+    provided by QEMU was added. This adds support to configure ndb related
+    qemu.conf parameters.
diff --git a/spec/classes/nova_compute_libvirt_qemu_spec.rb b/spec/classes/nova_compute_libvirt_qemu_spec.rb
index 3d35e674f..485aca8cf 100644
--- a/spec/classes/nova_compute_libvirt_qemu_spec.rb
+++ b/spec/classes/nova_compute_libvirt_qemu_spec.rb
@@ -18,7 +18,7 @@ describe 'nova::compute::libvirt::qemu' do
       end
       it { is_expected.to contain_augeas('qemu-conf-limits').with({
         :context => '/files/etc/libvirt/qemu.conf',
-        :changes => [ "rm max_files", "rm max_processes", "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", "rm memory_backing_dir" ],
+        :changes => [ "rm max_files", "rm max_processes", "rm group", "rm vnc_tls", "rm vnc_tls_x509_verify", "rm memory_backing_dir", "rm nbd_tls" ],
       }).that_notifies('Service[libvirt]') }
     end
 
@@ -30,7 +30,7 @@ describe 'nova::compute::libvirt::qemu' do
       end
       it { is_expected.to contain_augeas('qemu-conf-limits').with({
         :context => '/files/etc/libvirt/qemu.conf',
-        :changes => [ "set max_files 1024", "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0" ],
+        :changes => [ "set max_files 1024", "set max_processes 4096", "set vnc_tls 0", "set vnc_tls_x509_verify 0", "set nbd_tls 0" ],
         :tag     => 'qemu-conf-augeas',
       }).that_notifies('Service[libvirt]') }
     end
@@ -45,7 +45,7 @@ describe 'nova::compute::libvirt::qemu' do
       end
       it { is_expected.to contain_augeas('qemu-conf-limits').with({
         :context => '/files/etc/libvirt/qemu.conf',
-        :changes => [ "set max_files 32768", "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0" ],
+        :changes => [ "set max_files 32768", "set max_processes 131072", "set vnc_tls 0", "set vnc_tls_x509_verify 0", "set nbd_tls 0" ],
         :tag     => 'qemu-conf-augeas',
       }).that_notifies('Service[libvirt]') }
     end
@@ -67,6 +67,7 @@ describe 'nova::compute::libvirt::qemu' do
             "set max_processes 131072",
             "set vnc_tls 0",
             "set vnc_tls_x509_verify 0",
+            "set nbd_tls 0",
             "set group openvswitch",
             "set memory_backing_dir /tmp"
         ],
@@ -87,7 +88,8 @@ describe 'nova::compute::libvirt::qemu' do
             "set max_files 1024",
             "set max_processes 4096",
             "set vnc_tls 1",
-            "set vnc_tls_x509_verify 1"
+            "set vnc_tls_x509_verify 1",
+            "set nbd_tls 0"
         ],
         :tag     => 'qemu-conf-augeas',
       }).that_notifies('Service[libvirt]') }
@@ -107,7 +109,28 @@ describe 'nova::compute::libvirt::qemu' do
             "set max_files 1024",
             "set max_processes 4096",
             "set vnc_tls 1",
-            "set vnc_tls_x509_verify 0"
+            "set vnc_tls_x509_verify 0",
+            "set nbd_tls 0"
+        ],
+        :tag     => 'qemu-conf-augeas',
+      }).that_notifies('Service[libvirt]') }
+    end
+
+    context 'when configuring qemu with nbd_tls' do
+      let :params do
+        {
+          :configure_qemu => true,
+          :nbd_tls => true
+        }
+      end
+      it { is_expected.to contain_augeas('qemu-conf-limits').with({
+        :context => '/files/etc/libvirt/qemu.conf',
+        :changes => [
+            "set max_files 1024",
+            "set max_processes 4096",
+            "set vnc_tls 0",
+            "set vnc_tls_x509_verify 0",
+            "set nbd_tls 1"
         ],
         :tag     => 'qemu-conf-augeas',
       }).that_notifies('Service[libvirt]') }