diff --git a/lib/puppet/type/nova_config.rb b/lib/puppet/type/nova_config.rb
index df4cba1d0..8dab2e71d 100644
--- a/lib/puppet/type/nova_config.rb
+++ b/lib/puppet/type/nova_config.rb
@@ -18,6 +18,30 @@ Puppet::Type.newtype(:nova_config) do
       value
     end
     newvalues(/^[\S ]*$/)
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
   validate do
diff --git a/lib/puppet/type/nova_paste_api_ini.rb b/lib/puppet/type/nova_paste_api_ini.rb
index 6acb1ea0d..095fa210c 100644
--- a/lib/puppet/type/nova_paste_api_ini.rb
+++ b/lib/puppet/type/nova_paste_api_ini.rb
@@ -14,6 +14,30 @@ Puppet::Type.newtype(:nova_paste_api_ini) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
 end
diff --git a/manifests/api.pp b/manifests/api.pp
index f552619f8..adb48473b 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -88,7 +88,7 @@ class nova::api(
     'filter:authtoken/auth_protocol':     value => $auth_protocol;
     'filter:authtoken/admin_tenant_name': value => $admin_tenant_name;
     'filter:authtoken/admin_user':        value => $admin_user;
-    'filter:authtoken/admin_password':    value => $admin_password;
+    'filter:authtoken/admin_password':    value => $admin_password, secret => true;
   }
 
   if $auth_admin_prefix {
diff --git a/manifests/init.pp b/manifests/init.pp
index ae939a6be..536e97fec 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -152,7 +152,9 @@ class nova(
     } else {
       fail("Invalid db connection ${sql_connection}")
     }
-    nova_config { 'DEFAULT/sql_connection': value => $sql_connection }
+    nova_config {
+      'DEFAULT/sql_connection': value  => $sql_connection, secret => true,
+    }
   }
 
   nova_config { 'DEFAULT/image_service': value => $image_service }
@@ -168,7 +170,7 @@ class nova(
   if $rpc_backend == 'nova.openstack.common.rpc.impl_kombu' {
     # I may want to support exporting and collecting these
     nova_config {
-      'DEFAULT/rabbit_password':     value => $rabbit_password;
+      'DEFAULT/rabbit_password':     value => $rabbit_password, secret => true;
       'DEFAULT/rabbit_userid':       value => $rabbit_userid;
       'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
     }
@@ -193,7 +195,7 @@ class nova(
       'DEFAULT/qpid_hostname':               value => $qpid_hostname;
       'DEFAULT/qpid_port':                   value => $qpid_port;
       'DEFAULT/qpid_username':               value => $qpid_username;
-      'DEFAULT/qpid_password':               value => $qpid_password;
+      'DEFAULT/qpid_password':               value => $qpid_password, secret => true;
       'DEFAULT/qpid_reconnect':              value => $qpid_reconnect;
       'DEFAULT/qpid_reconnect_timeout':      value => $qpid_reconnect_timeout;
       'DEFAULT/qpid_reconnect_limit':        value => $qpid_reconnect_limit;
diff --git a/manifests/network/quantum.pp b/manifests/network/quantum.pp
index 59527a529..5925d0492 100644
--- a/manifests/network/quantum.pp
+++ b/manifests/network/quantum.pp
@@ -64,7 +64,7 @@ class nova::network::quantum (
     'DEFAULT/quantum_admin_tenant_name': value => $quantum_admin_tenant_name;
     'DEFAULT/quantum_region_name':       value => $quantum_region_name;
     'DEFAULT/quantum_admin_username':    value => $quantum_admin_username;
-    'DEFAULT/quantum_admin_password':    value => $quantum_admin_password;
+    'DEFAULT/quantum_admin_password':    value => $quantum_admin_password, secret => true;
     'DEFAULT/quantum_admin_auth_url':    value => $quantum_admin_auth_url;
     'DEFAULT/security_group_api':        value => $security_group_api;
     'DEFAULT/firewall_driver':           value => $firewall_driver;
diff --git a/manifests/volume/san.pp b/manifests/volume/san.pp
index 1b17bc4b1..c9c877a32 100644
--- a/manifests/volume/san.pp
+++ b/manifests/volume/san.pp
@@ -24,7 +24,7 @@ class nova::volume::san (
   } else {
     nova_config {
       'DEFAULT/san_login':    value => $san_login;
-      'DEFAULT/san_password': value => $san_password;
+      'DEFAULT/san_password': value => $san_password, secret => true;
     }
   }
 
diff --git a/spec/classes/nova_api_spec.rb b/spec/classes/nova_api_spec.rb
index 2eff83b3e..2420059b3 100644
--- a/spec/classes/nova_api_spec.rb
+++ b/spec/classes/nova_api_spec.rb
@@ -59,7 +59,7 @@ describe 'nova::api' do
         should contain_nova_paste_api_ini(
           'filter:authtoken/admin_user').with_value('nova')
         should contain_nova_paste_api_ini(
-          'filter:authtoken/admin_password').with_value('passw0rd')
+          'filter:authtoken/admin_password').with_value('passw0rd').with_secret(true)
       end
       it { should contain_nova_config('DEFAULT/ec2_listen').with('value' => '0.0.0.0') }
       it { should contain_nova_config('DEFAULT/osapi_compute_listen').with('value' => '0.0.0.0') }
@@ -107,7 +107,7 @@ describe 'nova::api' do
         should contain_nova_paste_api_ini(
           'filter:authtoken/admin_user').with_value('nova2')
         should contain_nova_paste_api_ini(
-          'filter:authtoken/admin_password').with_value('passw0rd2')
+          'filter:authtoken/admin_password').with_value('passw0rd2').with_secret(true)
       end
       it { should contain_nova_config('DEFAULT/ec2_listen').with('value' => '192.168.56.210') }
       it { should contain_nova_config('DEFAULT/osapi_compute_listen').with('value' => '192.168.56.210') }
diff --git a/spec/classes/nova_init_spec.rb b/spec/classes/nova_init_spec.rb
index d588a4621..09af1cbaa 100644
--- a/spec/classes/nova_init_spec.rb
+++ b/spec/classes/nova_init_spec.rb
@@ -62,9 +62,9 @@ describe 'nova' do
     it { should contain_nova_config('DEFAULT/auth_strategy').with_value('keystone') }
     it { should_not contain_nova_config('DEFAULT/use_deprecated_auth').with_value('false') }
 
-      it { should contain_nova_config('DEFAULT/rpc_backend').with_value('nova.openstack.common.rpc.impl_kombu') }
+    it { should contain_nova_config('DEFAULT/rpc_backend').with_value('nova.openstack.common.rpc.impl_kombu') }
     it { should contain_nova_config('DEFAULT/rabbit_host').with_value('localhost') }
-    it { should contain_nova_config('DEFAULT/rabbit_password').with_value('guest') }
+    it { should contain_nova_config('DEFAULT/rabbit_password').with_value('guest').with_secret(true) }
     it { should contain_nova_config('DEFAULT/rabbit_port').with_value('5672') }
     it { should contain_nova_config('DEFAULT/rabbit_hosts').with_value('localhost:5672') }
     it { should contain_nova_config('DEFAULT/rabbit_ha_queues').with_value('false') }
@@ -103,7 +103,7 @@ describe 'nova' do
 
       it { should contain_package('nova-common').with('ensure' => '2012.1.1-15.el6') }
       it { should contain_package('python-nova').with('ensure' => '2012.1.1-15.el6') }
-      it { should contain_nova_config('DEFAULT/sql_connection').with_value('mysql://user:pass@db/db') }
+      it { should contain_nova_config('DEFAULT/sql_connection').with_value('mysql://user:pass@db/db').with_secret(true) }
 
       it { should contain_nova_config('DEFAULT/image_service').with_value('nova.image.local.LocalImageService') }
       it { should_not contain_nova_config('DEFAULT/glance_api_servers') }
@@ -112,7 +112,7 @@ describe 'nova' do
       it { should_not contain_nova_config('DEFAULT/use_deprecated_auth').with_value(true) }
       it { should contain_nova_config('DEFAULT/rpc_backend').with_value('nova.openstack.common.rpc.impl_kombu') }
       it { should contain_nova_config('DEFAULT/rabbit_host').with_value('rabbit') }
-      it { should contain_nova_config('DEFAULT/rabbit_password').with_value('password') }
+      it { should contain_nova_config('DEFAULT/rabbit_password').with_value('password').with_secret(true) }
       it { should contain_nova_config('DEFAULT/rabbit_port').with_value('5673') }
       it { should contain_nova_config('DEFAULT/rabbit_userid').with_value('rabbit_user') }
       it { should contain_nova_config('DEFAULT/rabbit_virtual_host').with_value('/') }
@@ -175,7 +175,7 @@ describe 'nova' do
       it { should contain_nova_config('DEFAULT/qpid_hostname').with_value('localhost') }
       it { should contain_nova_config('DEFAULT/qpid_port').with_value('5672') }
       it { should contain_nova_config('DEFAULT/qpid_username').with_value('guest') }
-      it { should contain_nova_config('DEFAULT/qpid_password').with_value('guest') }
+      it { should contain_nova_config('DEFAULT/qpid_password').with_value('guest').with_secret(true) }
       it { should contain_nova_config('DEFAULT/qpid_reconnect').with_value('true') }
       it { should contain_nova_config('DEFAULT/qpid_reconnect_timeout').with_value('0') }
       it { should contain_nova_config('DEFAULT/qpid_reconnect_limit').with_value('0') }
diff --git a/spec/classes/nova_network_quantum_spec.rb b/spec/classes/nova_network_quantum_spec.rb
index 100b15b6e..2d6cd02dc 100644
--- a/spec/classes/nova_network_quantum_spec.rb
+++ b/spec/classes/nova_network_quantum_spec.rb
@@ -20,7 +20,7 @@ describe 'nova::network::quantum' do
 
   context 'with required parameters' do
     it 'configures quantum endpoint in nova.conf' do
-      should contain_nova_config('DEFAULT/quantum_admin_password').with_value(params[:quantum_admin_password])
+      should contain_nova_config('DEFAULT/quantum_admin_password').with_value(params[:quantum_admin_password]).with_secret(true)
       should contain_nova_config('DEFAULT/network_api_class').with_value('nova.network.quantumv2.api.API')
       should contain_nova_config('DEFAULT/quantum_auth_strategy').with_value(default_params[:quantum_auth_strategy])
       should contain_nova_config('DEFAULT/quantum_url').with_value(default_params[:quantum_url])
@@ -50,7 +50,7 @@ describe 'nova::network::quantum' do
 
     it 'configures quantum endpoint in nova.conf' do
       should contain_nova_config('DEFAULT/quantum_auth_strategy').with_value(default_params[:quantum_auth_strategy])
-      should contain_nova_config('DEFAULT/quantum_admin_password').with_value(params[:quantum_admin_password])
+      should contain_nova_config('DEFAULT/quantum_admin_password').with_value(params[:quantum_admin_password]).with_secret(true)
       should contain_nova_config('DEFAULT/network_api_class').with_value('nova.network.quantumv2.api.API')
       should contain_nova_config('DEFAULT/quantum_url').with_value(params[:quantum_url])
       should contain_nova_config('DEFAULT/quantum_admin_tenant_name').with_value(params[:quantum_admin_tenant_name])