diff --git a/releasenotes/notes/Swift-encryption-for-the-undercloud-9d9e62205fc54531.yaml b/releasenotes/notes/Swift-encryption-for-the-undercloud-9d9e62205fc54531.yaml
new file mode 100644
index 000000000..b35b81901
--- /dev/null
+++ b/releasenotes/notes/Swift-encryption-for-the-undercloud-9d9e62205fc54531.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The option `enable_swift_encryption` was added to the containerized
+    undercloud configuration options (undercloud.conf). If enabled, it will
+    deploy Barbican, which will be used to enable Swift Object encryption.
diff --git a/tripleoclient/tests/v1/undercloud/test_undercloud.py b/tripleoclient/tests/v1/undercloud/test_undercloud.py
index 5587db101..18912b0c2 100644
--- a/tripleoclient/tests/v1/undercloud/test_undercloud.py
+++ b/tripleoclient/tests/v1/undercloud/test_undercloud.py
@@ -35,8 +35,8 @@ class TestUndercloudInstall(TestPluginV1):
     def setUp(self):
         super(TestUndercloudInstall, self).setUp()
 
-        conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
-        conf.config(container_images_file='/home/stack/foo.yaml')
+        self.conf = self.useFixture(oslo_fixture.Config(cfg.CONF))
+        self.conf.config(container_images_file='/home/stack/foo.yaml')
         # Get the command object to test
         app_args = mock.Mock()
         app_args.verbose_level = 1
@@ -148,6 +148,57 @@ class TestUndercloudInstall(TestPluginV1):
              'undercloud.yaml', '-e', '/tmp/undercloud_parameters.yaml',
              mock.ANY, '--debug'])
 
+    @mock.patch('subprocess.check_call', autospec=True)
+    def test_undercloud_install_with_swift_encryption(self, mock_subprocess):
+        arglist = ['--use-heat', '--no-validations']
+        verifylist = []
+        self.conf.set_default('enable_swift_encryption', True)
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        # DisplayCommandBase.take_action() returns two tuples
+        self.cmd.take_action(parsed_args)
+
+        mock_subprocess.assert_called_with(
+            ['sudo', 'openstack', 'undercloud',
+             'deploy', '--local-domain=localdomain',
+             '--local-ip=192.168.24.1/24',
+             '--templates=/usr/share/openstack-tripleo-heat-templates/',
+             '--heat-native', '-e', '/home/stack/foo.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/ironic.yaml',
+             '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/ironic-inspector.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/mistral.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/zaqar.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/tripleo-ui.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/barbican.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'barbican-backend-simple-crypto.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'public-tls-undercloud.yaml',
+             '--public-virtual-ip', '192.168.24.2',
+             '--control-virtual-ip', '192.168.24.3', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'tls-endpoints-public-ip.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'use-dns-for-vips.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/undercloud-haproxy.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'services/undercloud-keepalived.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'docker.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'config-download-environment.yaml', '-e',
+             '/usr/share/openstack-tripleo-heat-templates/environments/'
+             'undercloud.yaml', '-e', '/tmp/undercloud_parameters.yaml',
+             mock.ANY])
+
 
 class TestUndercloudUpgrade(TestPluginV1):
     def setUp(self):
diff --git a/tripleoclient/v1/undercloud_config.py b/tripleoclient/v1/undercloud_config.py
index e59592019..28d3da2b1 100644
--- a/tripleoclient/v1/undercloud_config.py
+++ b/tripleoclient/v1/undercloud_config.py
@@ -395,6 +395,9 @@ _opts = [
     cfg.BoolOpt('enable_routed_networks',
                 default=False,
                 help=('Enable support for routed ctlplane networks.')),
+    cfg.BoolOpt('enable_swift_encryption',
+                default=False,
+                help=('Whether to enable Swift encryption at-rest or not.')),
 ]
 
 # Routed subnets
@@ -724,6 +727,17 @@ def prepare_undercloud_deploy(upgrade=False, no_validations=False,
             tht_templates,
             "environments/services/undercloud-cinder.yaml")]
 
+    if CONF.get('enable_swift_encryption'):
+        deploy_args += [
+            '-e', os.path.join(tht_templates,
+                               "environments/services/barbican.yaml"),
+            '-e', os.path.join(
+                tht_templates,
+                "environments/barbican-backend-simple-crypto.yaml")
+            ]
+        env_data['BarbicanSimpleCryptoGlobalDefault'] = True
+        env_data['SwiftEncryptionEnabled'] = True
+
     if CONF.get('generate_service_certificate'):
         deploy_args += ['-e', os.path.join(
             tht_templates,