diff --git a/ci/environments/scenario002-multinode-containers.yaml b/ci/environments/scenario002-multinode-containers.yaml
index 7082bf854a..64dd8ca941 100644
--- a/ci/environments/scenario002-multinode-containers.yaml
+++ b/ci/environments/scenario002-multinode-containers.yaml
@@ -93,4 +93,5 @@ parameter_defaults:
   ZaqarManagementStore: 'sqlalchemy'
   SwiftCeilometerPipelineEnabled: false
   # For now, we hardcode it but soon it'll be generated in tripleo-common
-  SimpleCryptoKek: dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=
+  BarbicanSimpleCryptoKek: dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=
+  BarbicanSimpleCryptoGlobalDefault: true
diff --git a/environments/barbican-backend-simple-crypto.yaml b/environments/barbican-backend-simple-crypto.yaml
index e8c3624eb2..1c3d0ffb84 100644
--- a/environments/barbican-backend-simple-crypto.yaml
+++ b/environments/barbican-backend-simple-crypto.yaml
@@ -5,7 +5,10 @@ parameter_defaults:
   # provide an appropriate KEK that barbican will use to encrypt secrets
   # in the database.
   #
-  # SimpleCryptoKek: The Key-Encryption-Key goes here.
+  # BarbicanSimpleCryptoKek: The Key-Encryption-Key goes here.
+  # BarbicanSimpleCryptoGlobalDefault : whether this plugin is the global default
+  #     -- defaults to false
+
 
 resource_registry:
   OS::TripleO::Services::BarbicanBackendSimpleCrypto: ../puppet/services/barbican-backend-simple-crypto.yaml
diff --git a/puppet/services/barbican-backend-simple-crypto.yaml b/puppet/services/barbican-backend-simple-crypto.yaml
index 2337f11dcf..4d032c11ea 100644
--- a/puppet/services/barbican-backend-simple-crypto.yaml
+++ b/puppet/services/barbican-backend-simple-crypto.yaml
@@ -31,10 +31,14 @@ parameters:
     description: Mapping of service endpoint -> protocol. Typically set
                  via parameter_defaults in the resource registry.
     type: json
-  SimpleCryptoKek:
+  BarbicanSimpleCryptoKek:
     description: KEK used to encrypt secrets
     type: string
     hidden: true
+  BarbicanSimpleCryptoGlobalDefault:
+    description: Whether this plugin is the global default plugin
+    type: boolean
+    default: false
 
 outputs:
   role_data:
@@ -42,5 +46,5 @@ outputs:
     value:
       service_name: barbican_backend_simple_crypto
       config_settings:
-        tripleo::profile::base::barbican::backends::simple_crypto_backend_enabled: true
-        barbican::plugins::simple_crypto::simple_crypto_plugin_kek: {get_param: SimpleCryptoKek}
+        barbican::plugins::simple_crypto::simple_crypto_plugin_kek: {get_param: BarbicanSimpleCryptoKek}
+        barbican::plugins::simple_crypto::global_default: {get_param: BarbicanSimpleCryptoGlobalDefault}