diff --git a/manifests/keymaster.pp b/manifests/keymaster.pp
index a6e7b229..1b109855 100644
--- a/manifests/keymaster.pp
+++ b/manifests/keymaster.pp
@@ -56,6 +56,10 @@
 #   id may also be specified.
 #   Defaults to 'default' (note the capitalization).
 #
+# [*meta_version_to_write*]
+#   (Optional) Int. The version of crypto metadata to write.
+#   Defaults to 1.
+#
 # == Dependencies
 #
 # None
@@ -65,17 +69,18 @@
 #   Thiago da Silva thiago@redhat.com
 #
 class swift::keymaster(
-  $api_class           = 'barbican',
-  $key_id              = undef,
-  $username            = 'swift',
-  $password            = undef,
-  $project_name        = 'services',
-  $project_id          = undef,
-  $auth_endpoint       = undef,
-  $project_domain_name = undef,
-  $user_domain_name    = undef,
-  $project_domain_id   = 'default',
-  $user_domain_id      = 'default',
+  $api_class             = 'barbican',
+  $key_id                = undef,
+  $username              = 'swift',
+  $password              = undef,
+  $project_name          = 'services',
+  $project_id            = undef,
+  $auth_endpoint         = undef,
+  $project_domain_name   = undef,
+  $user_domain_name      = undef,
+  $project_domain_id     = 'default',
+  $user_domain_id        = 'default',
+  $meta_version_to_write = 1,
 ) {
 
   include swift::deps
@@ -85,17 +90,18 @@ class swift::keymaster(
   }
 
   swift_keymaster_config {
-    'kms_keymaster/api_class':           value => $api_class;
-    'kms_keymaster/key_id':              value => $key_id;
-    'kms_keymaster/username':            value => $username;
-    'kms_keymaster/password':            value => $password, secret => true;
-    'kms_keymaster/project_name':        value => $project_name;
-    'kms_keymaster/project_id':          value => $project_id;
-    'kms_keymaster/auth_endpoint':       value => $auth_endpoint;
-    'kms_keymaster/project_domain_name': value => $project_domain_name;
-    'kms_keymaster/user_domain_name':    value => $user_domain_name;
-    'kms_keymaster/project_domain_id':   value => $project_domain_id;
-    'kms_keymaster/user_domain_id':      value => $user_domain_id;
+    'kms_keymaster/api_class':             value => $api_class;
+    'kms_keymaster/key_id':                value => $key_id;
+    'kms_keymaster/username':              value => $username;
+    'kms_keymaster/password':              value => $password, secret => true;
+    'kms_keymaster/project_name':          value => $project_name;
+    'kms_keymaster/project_id':            value => $project_id;
+    'kms_keymaster/auth_endpoint':         value => $auth_endpoint;
+    'kms_keymaster/project_domain_name':   value => $project_domain_name;
+    'kms_keymaster/user_domain_name':      value => $user_domain_name;
+    'kms_keymaster/project_domain_id':     value => $project_domain_id;
+    'kms_keymaster/user_domain_id':        value => $user_domain_id;
+    'kms_keymaster/meta_version_to_write': value => $meta_version_to_write;
   }
 }
 
diff --git a/releasenotes/notes/meta_version_to_write-5644a0ce81936572.yaml b/releasenotes/notes/meta_version_to_write-5644a0ce81936572.yaml
new file mode 100644
index 00000000..ff19caa8
--- /dev/null
+++ b/releasenotes/notes/meta_version_to_write-5644a0ce81936572.yaml
@@ -0,0 +1,14 @@
+---
+features:
+  - |
+    Added a new meta_version_to_write for the keymaster config.
+upgrade:
+  - |
+    When upgrading from Swift 2.20.0 or Swift 2.19.1 or earlier, set
+    meta_version_to_write to 1. When upgrading from 2.25.0 or earlier, set
+    meta_version_to_write to 2. After upgrading all proxy servers, set this to
+    3 (currently the highest version).
+critical:
+  - |
+    Failing to set the correct version of meta_version_to_write can lead to
+    unrecoverable data.
diff --git a/spec/classes/swift_keymaster.rb b/spec/classes/swift_keymaster.rb
index 5592281a..8b8aa5d3 100644
--- a/spec/classes/swift_keymaster.rb
+++ b/spec/classes/swift_keymaster.rb
@@ -8,6 +8,7 @@ describe 'swift::keymaster' do
       it { is_expected.to contain_swift_keymaster_config('kms_keymaster/project_name').with_value('services') }
       it { is_expected.to contain_swift_keymaster_config('kms_keymaster/project_domain_id').with_value('default') }
       it { is_expected.to contain_swift_keymaster_config('kms_keymaster/user_domain_id').with_value('default') }
+      it { is_expected.to contain_swift_keymaster_config('kms_keymaster/meta_version_to_write').with_value('1') }
     end
 
     describe "when overriding default parameters" do
@@ -17,6 +18,7 @@ describe 'swift::keymaster' do
           :password => 'fake_password',
           :auth_endpoint => 'http://127.0.0.1:5000',
           :project_name => 'barbican_swift_service',
+          :meta_version_to_write => 3,
         }
       end
 
@@ -24,6 +26,7 @@ describe 'swift::keymaster' do
       it { is_expected.to contain_swift_keymaster_config('kms_keymaster/password').with_value('fake_password').with_secret(true) }
       it { is_expected.to contain_swift_keymaster_config('kms_keymaster/auth_endpoint').with_value('http://127.0.0.1:5000') }
       it { is_expected.to contain_swift_keymaster_config('kms_keymaster/project_name').with_value('barbican_swift_service') }
+      it { is_expected.to contain_swift_keymaster_config('kms_keymaster/meta_version_to_write').with_value('3') }
     end
   end