diff --git a/ci/environments/scenario001-standalone.yaml b/ci/environments/scenario001-standalone.yaml
index 676507aa49..f578df4ff2 100644
--- a/ci/environments/scenario001-standalone.yaml
+++ b/ci/environments/scenario001-standalone.yaml
@@ -190,3 +190,4 @@ parameter_defaults:
       osdkey: osdvalue
     foo: bar
   NfsUrl: 127.0.0.1
+  CephMsgrSecureMode: true
diff --git a/deployment/ceph-ansible/ceph-base.yaml b/deployment/ceph-ansible/ceph-base.yaml
index 1a3a4a029e..6508631b01 100644
--- a/deployment/ceph-ansible/ceph-base.yaml
+++ b/deployment/ceph-ansible/ceph-base.yaml
@@ -97,6 +97,12 @@ parameters:
       description: >
         The Ceph cluster name must be at least 1 character and contain only
         letters and numbers.
+  CephMsgrSecureMode:
+    type: boolean
+    default: false
+    description: >
+      Enable Ceph msgr2 secure mode to enable on-wire encryption between Ceph
+      daemons and also between Ceph clients and daemons.
   CephPoolDefaultPgNum:
     description: default pg_num to use for the RBD pools
     type: number
@@ -348,6 +354,7 @@ conditions:
   deprecated_data_pool_pgnum: {not: {equals: [{get_param: ManilaCephFSDataPoolPGNum}, 128]}}
   deprecated_metadata_pool_pgnum: {not: {equals: [{get_param: ManilaCephFSMetadataPoolPGNum}, 128]}}
   dashboard_is_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
+  msgr_secure_mode: {equals: [{get_param: CephMsgrSecureMode}, true]}
   custom_registry_host:
     yaql:
       data: {get_param: ContainerCephDaemonImage}
@@ -430,6 +437,17 @@ resources:
               expression: $.data.rightSplit(':', 1)[1]
               data: {get_param: ContainerCephDaemonImage}
 
+  MsgrSecureModeOverrides:
+    type: OS::Heat::Value
+    properties:
+      type: json
+      value:
+        vars:
+          global:
+            ms_cluster_mode: secure
+            ms_service_mode: secure
+            ms_client_mode: secure
+
   DefaultCephConfigOverrides:
     type: OS::Heat::Value
     properties:
@@ -632,7 +650,15 @@ outputs:
                 ceph_pools: {get_attr: [CephBasePoolVars, value, vars]}
                 manila_pools: {get_attr: [CephManilaPoolVars, value, vars]}
                 ceph_keys: {get_attr: [CephKeyVars, value, vars]}
-                ceph_default_overrides: {get_attr: [DefaultCephConfigOverrides, value, vars]}
+                ceph_default_overrides:
+                  if:
+                  - msgr_secure_mode
+                  - yaql:
+                      expression: ($.data.default).mergeWith($.data.secure)
+                      data:
+                        default: {get_attr: [DefaultCephConfigOverrides, value, vars]}
+                        secure: {get_attr: [MsgrSecureModeOverrides, value, vars]}
+                  - {get_attr: [DefaultCephConfigOverrides, value, vars]}
                 ceph_config_overrides: {get_param: CephConfigOverrides}
             - name: set ceph-ansible facts
               set_fact:
diff --git a/environments/ceph-ansible/ceph-ansible.yaml b/environments/ceph-ansible/ceph-ansible.yaml
index 1880b84d49..0e2e400ac8 100644
--- a/environments/ceph-ansible/ceph-ansible.yaml
+++ b/environments/ceph-ansible/ceph-ansible.yaml
@@ -16,3 +16,10 @@ parameter_defaults:
   GlanceBackend: rbd
   ## Uncomment below if enabling legacy telemetry
   # GnocchiBackend: rbd
+
+  ## Set to enable on-wire encryption
+  ## Using secure mode can cause a performance degradation with the storage cluster.
+  ## The severity of the performance degradation can vary depending on several
+  ## environmental factors.
+  ## Test the performance impact in a non-production environment before implementing.
+  # CephMsgrSecureMode: true