diff --git a/manifests/certificates.pp b/manifests/certificates.pp
index 58675431..3d56dc5b 100644
--- a/manifests/certificates.pp
+++ b/manifests/certificates.pp
@@ -131,8 +131,8 @@ class octavia::certificates (
     'certificates/endpoint_type'               : value => $endpoint_type;
     'certificates/ca_certificate'              : value => $ca_certificate;
     'certificates/ca_private_key'              : value => $ca_private_key;
-    'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase;
-    'certificates/ca_private_key_passphrase'   : value => $ca_private_key_passphrase;
+    'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase, secret => true;
+    'certificates/ca_private_key_passphrase'   : value => $ca_private_key_passphrase, secret => true;
     'certificates/signing_digest'              : value => $signing_digest;
     'certificates/cert_validity_time'          : value => $cert_validity_time;
     'controller_worker/client_ca'              : value => $client_ca_real;
diff --git a/spec/classes/octavia_certificates_spec.rb b/spec/classes/octavia_certificates_spec.rb
index f9bc0ccf..da8478d0 100644
--- a/spec/classes/octavia_certificates_spec.rb
+++ b/spec/classes/octavia_certificates_spec.rb
@@ -14,7 +14,8 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key').with_secret(true)
+        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>').with_secret(true)
         is_expected.to contain_octavia_config('certificates/signing_digest').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/cert_validity_time').with_value('<SERVICE DEFAULT>')
       end
@@ -55,8 +56,8 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
-        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key').with_secret(true)
+        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123').with_secret(true)
         is_expected.to contain_octavia_config('certificates/signing_digest').with_value('sha256')
         is_expected.to contain_octavia_config('certificates/cert_validity_time').with_value(2592000)
       end