diff --git a/tripleoclient/tests/v1/tripleo/test_tripleo_deploy.py b/tripleoclient/tests/v1/tripleo/test_tripleo_deploy.py
index 3bf2a5b2f..b4b1a226b 100644
--- a/tripleoclient/tests/v1/tripleo/test_tripleo_deploy.py
+++ b/tripleoclient/tests/v1/tripleo/test_tripleo_deploy.py
@@ -140,7 +140,10 @@ class TestDeployUndercloud(TestPluginV1):
             self.temp_homedir, 'tripleo-undercloud-passwords.yaml')
 
         mock_pw.return_value = pw_dict
-        mock_exists.return_value = True
+
+        def mock_file_exists(file_name):
+            return not file_name.startswith('/etc/keystone')
+        mock_exists.side_effect = mock_file_exists
         with open(t_pw_conf_path, 'w') as t_pw:
             t_pw.write('parameter_defaults: {ExistingKey: xyz}\n')
 
diff --git a/tripleoclient/v1/tripleo_deploy.py b/tripleoclient/v1/tripleo_deploy.py
index 311139ab1..0029cc06d 100644
--- a/tripleoclient/v1/tripleo_deploy.py
+++ b/tripleoclient/v1/tripleo_deploy.py
@@ -306,6 +306,33 @@ class Deploy(command.Command):
             with open(pw_file) as pf:
                 stack_env = yaml.safe_load(pf.read())
 
+        # Get the keystone keys before upgrade
+        keystone_fernet_repo = '/etc/keystone/fernet-keys/'
+        keystone_credential_repo = '/etc/keystone/credential-keys/'
+        self._set_data_rights('/etc/keystone', user=user)
+
+        for key_index in range(0, 2):
+            file_name = keystone_credential_repo + str(key_index)
+            key = 'KeystoneCredential' + str(key_index)
+            if os.path.exists(file_name):
+                with open(file_name, 'r') as file_content:
+                    content = file_content.read()
+                    legacy_env[key] = content
+
+        fernet_keys = {}
+        file_count = 0
+        if os.path.exists(keystone_fernet_repo):
+            file_count = len(os.listdir(keystone_fernet_repo))
+
+        for key_index in range(0, file_count):
+            file_name = keystone_fernet_repo + str(key_index)
+            if os.path.exists(file_name):
+                with open(file_name, 'r') as file_content:
+                    content = file_content.read()
+                    fernet_keys[file_name] = {'content': content}
+        if fernet_keys:
+            legacy_env['KeystoneFernetKeys'] = fernet_keys
+
         pw = password_utils.generate_passwords(stack_env=stack_env)
         stack_env['parameter_defaults'].update(pw)
         # Override what has been generated by tripleo-common with old passwords