diff --git a/sahara/plugins/cdh/abstractversionhandler.py b/sahara/plugins/cdh/abstractversionhandler.py
index 5ba3cb36a1..7bff14ca94 100644
--- a/sahara/plugins/cdh/abstractversionhandler.py
+++ b/sahara/plugins/cdh/abstractversionhandler.py
@@ -17,6 +17,8 @@ import abc
 
 import six
 
+from sahara.plugins.cdh import db_helper as dh
+
 
 @six.add_metaclass(abc.ABCMeta)
 class AbstractVersionHandler(object):
@@ -70,4 +72,4 @@ class AbstractVersionHandler(object):
         return
 
     def on_terminate_cluster(self, cluster):
-        pass
+        dh.delete_passwords_from_keymanager(cluster)
diff --git a/sahara/plugins/cdh/db_helper.py b/sahara/plugins/cdh/db_helper.py
index 4c85f846e8..3cb81af376 100644
--- a/sahara/plugins/cdh/db_helper.py
+++ b/sahara/plugins/cdh/db_helper.py
@@ -19,26 +19,70 @@ import six
 
 from sahara import conductor
 from sahara import context
+from sahara.service.castellan import utils as key_manager
+
+CM_PASSWORD = 'cm_password'
+HIVE_DB_PASSWORD = 'hive_db_password'
+SENTRY_DB_PASSWORD = 'sentry_db_password'
 
 conductor = conductor.API
 
 
+def delete_password_from_keymanager(cluster, pwname):
+    """delete the named password from the key manager
+
+    This function will lookup the named password in the cluster entry
+    and delete it from the key manager.
+
+    :param cluster: The cluster record containing the password
+    :param pwname: The name associated with the password
+    """
+    ctx = context.ctx()
+    cluster = conductor.cluster_get(ctx, cluster.id)
+    key_id = cluster.extra.get(pwname) if cluster.extra else None
+    if key_id is not None:
+        key_manager.delete_key(key_id, ctx)
+
+
+def delete_passwords_from_keymanager(cluster):
+    """delete all passwords associated with a cluster
+
+    This function will remove all passwords stored in a cluster database
+    entry from the key manager.
+
+    :param cluster: The cluster record containing the passwords
+    """
+    delete_password_from_keymanager(cluster, CM_PASSWORD)
+    delete_password_from_keymanager(cluster, HIVE_DB_PASSWORD)
+    delete_password_from_keymanager(cluster, SENTRY_DB_PASSWORD)
+
+
 def get_password_from_db(cluster, pwname):
+    """return a password for the named entry
+
+    This function will return, or create and return, a password for the
+    named entry. It will store the password in the key manager and use
+    the ID in the database entry.
+
+    :param cluster: The cluster record containing the password
+    :param pwname: The entry name associated with the password
+    :returns: The cleartext password
+    """
     ctx = context.ctx()
     cluster = conductor.cluster_get(ctx, cluster.id)
     passwd = cluster.extra.get(pwname) if cluster.extra else None
     if passwd:
-        return passwd
+        return key_manager.get_secret(passwd, ctx)
 
     passwd = six.text_type(uuid.uuid4())
     extra = cluster.extra.to_dict() if cluster.extra else {}
-    extra[pwname] = passwd
+    extra[pwname] = key_manager.store_secret(passwd, ctx)
     cluster = conductor.cluster_update(ctx, cluster, {'extra': extra})
     return passwd
 
 
 def get_cm_password(cluster):
-    return get_password_from_db(cluster, 'cm_password')
+    return get_password_from_db(cluster, CM_PASSWORD)
 
 
 def remote_execute_db_script(remote, script_content):
diff --git a/sahara/plugins/cdh/v5/db_helper.py b/sahara/plugins/cdh/v5/db_helper.py
index d66a3652f8..c892fd7f7f 100644
--- a/sahara/plugins/cdh/v5/db_helper.py
+++ b/sahara/plugins/cdh/v5/db_helper.py
@@ -18,7 +18,7 @@ from sahara.utils import files
 
 
 def get_hive_db_password(cluster):
-    return dh.get_password_from_db(cluster, 'hive_db_password')
+    return dh.get_password_from_db(cluster, dh.HIVE_DB_PASSWORD)
 
 
 def create_hive_database(cluster, remote):
diff --git a/sahara/plugins/cdh/v5_3_0/db_helper.py b/sahara/plugins/cdh/v5_3_0/db_helper.py
index c4bfccf746..e867dc22af 100644
--- a/sahara/plugins/cdh/v5_3_0/db_helper.py
+++ b/sahara/plugins/cdh/v5_3_0/db_helper.py
@@ -18,11 +18,11 @@ from sahara.utils import files
 
 
 def get_hive_db_password(cluster):
-    return dh.get_password_from_db(cluster, 'hive_db_password')
+    return dh.get_password_from_db(cluster, dh.HIVE_DB_PASSWORD)
 
 
 def get_sentry_db_password(cluster):
-    return dh.get_password_from_db(cluster, 'sentry_db_password')
+    return dh.get_password_from_db(cluster, dh.SENTRY_DB_PASSWORD)
 
 
 def create_hive_database(cluster, remote):
diff --git a/sahara/plugins/cdh/v5_4_0/db_helper.py b/sahara/plugins/cdh/v5_4_0/db_helper.py
index e430609666..8a2511ffaf 100644
--- a/sahara/plugins/cdh/v5_4_0/db_helper.py
+++ b/sahara/plugins/cdh/v5_4_0/db_helper.py
@@ -18,11 +18,11 @@ from sahara.utils import files
 
 
 def get_hive_db_password(cluster):
-    return dh.get_password_from_db(cluster, 'hive_db_password')
+    return dh.get_password_from_db(cluster, dh.HIVE_DB_PASSWORD)
 
 
 def get_sentry_db_password(cluster):
-    return dh.get_password_from_db(cluster, 'sentry_db_password')
+    return dh.get_password_from_db(cluster, dh.SENTRY_DB_PASSWORD)
 
 
 def create_hive_database(cluster, remote):