diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml
index d44a8bf7cb..5660da313a 100644
--- a/deployment/barbican/barbican-api-container-puppet.yaml
+++ b/deployment/barbican/barbican-api-container-puppet.yaml
@@ -48,6 +48,9 @@ parameters:
   BarbicanPkcs11CryptoATOSEnabled:
     type: boolean
     default: false
+  BarbicanPkcs11CryptoLunasaEnabled:
+    type: boolean
+    default: false
   BarbicanPkcs11CryptoThalesEnabled:
     type: boolean
     default: false
@@ -101,6 +104,11 @@ parameters:
     description: Hash of atos-hsm role variables used to
                  install ATOS client software.
     type: json
+  LunasaVars:
+    default: {}
+    description: Hash of lunasa-hsm role variables used to
+                 install Lunasa client software.
+    type: json
   BarbicanPassword:
     description: The password for the barbican service account.
     type: string
@@ -144,14 +152,16 @@ parameters:
       perform configuration on a Heat stack-update.
 
 conditions:
-  service_debug_unset: {equals : [{get_param: BarbicanDebug}, '']}
+  service_debug_unset:  {equals : [{get_param: BarbicanDebug}, '']}
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   thales_hsm_enabled:   {equals: [{get_param: BarbicanPkcs11CryptoThalesEnabled}, true]}
   atos_hsm_enabled:     {equals: [{get_param: BarbicanPkcs11CryptoATOSEnabled}, true]}
-  thales_or_atos_hsm_enabled:
+  lunasa_hsm_enabled:   {equals: [{get_param: BarbicanPkcs11CryptoLunasaEnabled}, true]}
+  thales_or_atos_or_lunasa_hsm_enabled:
     or:
     - thales_hsm_enabled
     - atos_hsm_enabled
+    - lunasa_hsm_enabled
   pkcs11_plugin_enabled: {equals: [{get_param: BarbicanPkcs11CryptoEnabled}, true]}
   pkcs11_rewrap_pkeks: {equals: [{get_param: BarbicanPkcs11CryptoRewrapKeys}, true]}
 
@@ -398,7 +408,7 @@ outputs:
         - null
       deploy_steps_tasks:
         if:
-        - thales_or_atos_hsm_enabled
+        - thales_or_atos_or_lunasa_hsm_enabled
         - list_concat:
           -
             if:
@@ -433,6 +443,27 @@ outputs:
                     vars:
                       {get_param: ATOSVars}
               - null
+          -
+            if:
+              - lunasa_hsm_enabled
+              -
+                - name: Lunasa client install
+                  when: step|int == 2
+                  block:
+                  - name: install the lunasa client
+                    include_role:
+                      name: lunasa_hsm
+                    vars:
+                      {get_param: LunasaVars}
+                  - name: set the slot id in hieradata
+                    include_role:
+                      name: tripleo_hieradata
+                      tasks_from: ansible_hieradata.yml
+                    vars:
+                      hieradata_ansible_data:
+                        barbican::plugins::p11_crypto::p11_crypto_plugin_slot_id: "{{ lunasa_ha_slot }}"
+                    when: lunasa_ha_slot
+              - null
         - null
       docker_config:
         # db sync runs before permissions set by kolla_config
@@ -481,6 +512,14 @@ outputs:
                             - /etc/proteccio:/etc/proteccio
                             - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
                           - null
+                      -
+                        if:
+                          - lunasa_hsm_enabled
+                          -
+                            - /etc/Chrystoki.conf:/etc/Chrystoki.conf
+                            - /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
+                            - /usr/safenet/lunaclient:/usr/safenet/lunaclient
+                          - null
                   environment:
                     # NOTE: this should force this container to re-run on each
                     # update (scale-out, etc.)
@@ -671,6 +710,14 @@ outputs:
                           - /etc/proteccio:/etc/proteccio
                           - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
                         - null
+                    -
+                      if:
+                        - lunasa_hsm_enabled
+                        -
+                          - /etc/Chrystoki.conf:/etc/Chrystoki.conf
+                          - /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
+                          - /usr/safenet/lunaclient:/usr/safenet/lunaclient
+                        - null
                 environment: &kolla_env
                   KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
             - barbican_keystone_listener:
@@ -718,6 +765,14 @@ outputs:
                           - /etc/proteccio:/etc/proteccio
                           - /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
                         - null
+                    -
+                      if:
+                        - lunasa_hsm_enabled
+                        -
+                          - /etc/Chrystoki.conf:/etc/Chrystoki.conf
+                          - /usr/lib/libCryptoki2_64.so:/usr/lib/libCryptoki2_64.so
+                          - /usr/safenet/lunaclient:/usr/safenet/lunaclient
+                        - null
                 environment: *kolla_env
       host_prep_tasks:
         list_concat:
diff --git a/environments/barbican-backend-pkcs11-lunasa.yaml b/environments/barbican-backend-pkcs11-lunasa.yaml
new file mode 100644
index 0000000000..62b93183a5
--- /dev/null
+++ b/environments/barbican-backend-pkcs11-lunasa.yaml
@@ -0,0 +1,41 @@
+# A Heat environment file to enable the barbican PKCS11 crypto backend with
+# a Lunasa HSM.
+# Note that barbican needs to be enabled in order to use this.
+parameter_defaults:
+  # In order to use this backend, you need to uncomment these values and
+  # provide the appropriate values.
+  #
+  # BarbicanPkcs11CryptoLogin: Password (PIN) to login to PKCS11 session
+  # BarbicanPkcs11CryptoSlotId: Slot Id for the HSM.  Note that this parameter is only
+  #   strictly required when setting up the Lunasa client in non-HA mode.  In HA
+  #   mode, whatever value is placed here will be overridden by the dynamically generated
+  #   slot for the HA group created on the client.
+  # BarbicanPkcs11CryptoGlobalDefault: Whether this plugin is the global default plugin
+
+  BarbicanPkcs11CryptoLibraryPath:         '/usr/lib/libCryptoki2_64.so'
+  BarbicanPkcs11CryptoEncryptionMechanism: 'CKM_AES_CBC'
+  BarbicanPkcs11CryptoHMACKeyType:         'CKK_AES'
+  BarbicanPkcs11CryptoHMACKeygenMechanism: 'CKM_AES_KEY_GEN'
+  BarbicanPkcs11CryptoMKEKLabel:           'barbican_mkek_0'
+  BarbicanPkcs11CryptoMKEKLength:          '32'
+  BarbicanPkcs11CryptoHMACLabel:           'barbican_hmac_0'
+  BarbicanPkcs11CryptoLunasaEnabled:       true
+  BarbicanPkcs11CryptoEnabled:             true
+  BarbicanPkcs11AlwaysSetCkaSensitive:     true
+  LunasaVars:
+    # lunasa_client_tarball_location: URI where the CipherTools tarball can be downloaded.
+    # lunasa_client_tarball_name: Filename for the CipherTools tarball.
+    # lunasa_client_installer_path: path to install.sh in the tarball.
+    # lunasa_hsms:  A list of HSMs with the following format:
+    # lunasa_hsms:
+    #  - name: Name of the HSM
+    #    hostname: Hostname for the HSM
+    #    admin_password: admin password for the HSM
+    #    partition: HSM partition for this client to be assigned
+    #    partition_serial: serial number for the partition
+    #    client_ip: IP for the client - TODO: figure out how to pass this correctly
+    # lunasa_ha_label: HA group label Required only for HA mode.  This will trigger the
+    #    installer to create an HA group comprising of the HSMs in lunasa_hsms.
+    # lunasa_partition_password: PKCS#11 password for the partitition
+resource_registry:
+  OS::TripleO::Services::BarbicanBackendPkcs11Crypto: ../deployment/barbican/barbican-backend-pkcs11-crypto-puppet.yaml