diff --git a/providers/client.rb b/providers/client.rb
index b1f4dc9..d9c02cc 100644
--- a/providers/client.rb
+++ b/providers/client.rb
@@ -14,10 +14,15 @@ action :add do
         auth_set_key(keyname, caps) unless @current_resource.exists
       end
     end
-    if get_saved_key_file(@current_resource.filename) != get_new_key_file(@current_resource.keyname)
+    if @current_resource.as_keyring
+      get_new_content = method(:get_new_key_file)
+    else
+      get_new_content = method(:get_new_key)
+    end
+    if get_saved_key_file(@current_resource.filename) != get_new_content.call(keyname)
       converge_by("save ceph auth key to #{filename}") do
         file filename do
-          content lazy {get_new_key_file(keyname)}
+          content lazy {get_new_content.call(keyname)}
           owner "root"
           group "root"
           mode "640"
@@ -30,15 +35,28 @@ end
 def load_current_resource
   @current_resource = Chef::Resource::CephClient.new(@new_resource.name)
   @current_resource.name(@new_resource.name)
+  @current_resource.as_keyring(@new_resource.as_keyring)
   @current_resource.keyname(@new_resource.keyname || "client.#{current_resource.name}.#{node['hostname']}")
-  @current_resource.filename(@new_resource.filename || "/etc/ceph/ceph.client.#{current_resource.name}.#{node['hostname']}.keyring")
   @current_resource.caps(get_caps(@current_resource.keyname))
+  if @current_resource.as_keyring
+    get_new_content = method(:get_new_key_file)
+    @current_resource.filename(@new_resource.filename || "/etc/ceph/ceph.client.#{current_resource.name}.#{node['hostname']}.keyring")
+  else
+    get_new_content = method(:get_new_key)
+    @current_resource.filename(@new_resource.filename || "/etc/ceph/ceph.client.#{current_resource.name}.#{node['hostname']}.secret")
+  end
   if @current_resource.caps == @new_resource.caps and
-     get_saved_key_file(@current_resource.filename) == get_new_key_file(@current_resource.keyname)
+     get_saved_key_file(@current_resource.filename) == get_new_content.call(@current_resource.keyname)
     @current_resource.exists = true
   end
 end
 
+def get_new_key(keyname)
+  cmd = "ceph auth print_key #{keyname}"
+  key = Mixlib::ShellOut.new(cmd).run_command.stdout
+  key
+end
+
 def get_new_key_file(keyname)
   cmd = "ceph auth print_key #{keyname}"
   key = Mixlib::ShellOut.new(cmd).run_command.stdout
diff --git a/resources/client.rb b/resources/client.rb
index d9144f8..c1b2283 100644
--- a/resources/client.rb
+++ b/resources/client.rb
@@ -4,12 +4,16 @@ default_action :add
 attribute :name, :kind_of => String, :name_attribute => true
 attribute :caps, :kind_of => Hash, :default => {"mon"=>"allow r", "osd"=>"allow r"}
 
+# Whether to store the secret in a keyring file or a plain secret file
+attribute :as_keyring, :kind_of => [TrueClass,FalseClass], :default => true
+
 # what the key should be called in the ceph cluster
 # defaults to client.#{name}.#{hostname}
 attribute :keyname, :kind_of => String
 
 # where the key should be saved
-# defaults to /etc/ceph/ceph.client.#{name}.#{hostname}.keyring
+# defaults to /etc/ceph/ceph.client.#{name}.#{hostname}.keyring if as_keyring
+# defaults to /etc/ceph/ceph.client.#{name}.#{hostname}.secret if not as_keyring
 attribute :filename, :kind_of => String
 
 attr_accessor :exists