diff --git a/ansible/compute-libvirt-host.yml b/ansible/compute-libvirt-host.yml
index 7e5501938f34a5e7aa0600b9bb6cdf5efe2e984c..9b3900c22078d44e890c494c613dc3c9f34fa351 100644
--- a/ansible/compute-libvirt-host.yml
+++ b/ansible/compute-libvirt-host.yml
@@ -20,6 +20,9 @@
       vars:
         libvirt_host_libvirtd_conf: "{{ compute_libvirt_conf }}"
         libvirt_host_qemu_conf: "{{ compute_qemu_conf }}"
+        libvirt_host_enable_sasl_support: "{{ compute_libvirt_enable_sasl | bool }}"
+        libvirt_host_sasl_authname: nova
+        libvirt_host_sasl_password: "{{ compute_libvirt_sasl_password }}"
         libvirt_host_tcp_listen: "{{ not compute_libvirt_enable_tls | bool }}"
         libvirt_host_tcp_listen_address: "{{ internal_net_name | net_ip }}:16509"
         libvirt_host_tls_listen: "{{ compute_libvirt_enable_tls | bool }}"
diff --git a/ansible/group_vars/all/compute b/ansible/group_vars/all/compute
index b8b1e8161006950670bcf66bd53538027cbdcf77..d07d6d211be2f5c2e649befaaaba4c4355604a6c 100644
--- a/ansible/group_vars/all/compute
+++ b/ansible/group_vars/all/compute
@@ -172,7 +172,8 @@ compute_libvirt_enabled: "{{ kolla_enable_nova | bool and not kolla_enable_nova_
 # A dict of default configuration options to write to
 # /etc/libvirt/libvirtd.conf.
 compute_libvirt_conf_default:
-  auth_tcp: "none"
+  auth_tcp: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
+  auth_tls: "{{ 'sasl' if compute_libvirt_enable_sasl | bool else 'none' }}"
   log_level: "{{ compute_libvirtd_log_level }}"
 
 # A dict of additional configuration options to write to
@@ -202,6 +203,12 @@ compute_qemu_conf_extra: {}
 # compute_qemu_conf_extra.
 compute_qemu_conf: "{{ compute_qemu_conf_default | combine(compute_qemu_conf_extra) }}"
 
+# Whether to enable libvirt SASL authentication. Default is true.
+compute_libvirt_enable_sasl: true
+
+# libvirt SASL password. Default is unset.
+compute_libvirt_sasl_password:
+
 # Whether to enable a libvirt TLS listener. Default is false.
 compute_libvirt_enable_tls: false
 
diff --git a/ansible/group_vars/all/kolla b/ansible/group_vars/all/kolla
index ede0e5b33271feb457560bdda5d22cca846dcd25..1e3623d40923b005978393d6374501378e31ef70 100644
--- a/ansible/group_vars/all/kolla
+++ b/ansible/group_vars/all/kolla
@@ -580,9 +580,9 @@ kolla_enable_zun: "no"
 ###############################################################################
 # Passwords and credentials.
 
-# Dictionary containing default custom passwords to add or override in the
+# Dictionary containing base custom passwords to add or override in the
 # Kolla passwords file.
-kolla_ansible_default_custom_passwords:
+kolla_ansible_base_custom_passwords:
   # SSH key authorized in hosts deployed by Bifrost.
   bifrost_ssh_key:
     private_key: "{{ lookup('file', ssh_private_key_path) }}"
@@ -593,6 +593,19 @@ kolla_ansible_default_custom_passwords:
     public_key: "{{ lookup('file', ssh_public_key_path) }}"
   docker_registry_password: "{{ kolla_docker_registry_password }}"
 
+# Dictionary containing libvirt custom passwords to add or override in the
+# Kolla passwords file.
+kolla_ansible_libvirt_custom_passwords:
+  libvirt_sasl_password: "{{ compute_libvirt_sasl_password }}"
+
+# Dictionary containing default custom passwords to add or override in the
+# Kolla passwords file.
+kolla_ansible_default_custom_passwords: >-
+  {{ kolla_ansible_base_custom_passwords |
+     combine(kolla_ansible_libvirt_custom_passwords
+             if compute_libvirt_enabled | bool and compute_libvirt_enable_sasl | bool
+             else {}) }}
+
 # Dictionary containing custom passwords to add or override in the Kolla
 # passwords file.
 kolla_ansible_custom_passwords: "{{ kolla_ansible_default_custom_passwords }}"
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index 9e077448228d86ff31bbfe6620bf83e006af35e0..6bff33bc1ddc26b621597bacd7e34d94d95333e5 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -238,6 +238,8 @@ kolla_nova_compute_ironic_host:
 
 kolla_libvirt_tls:
 
+kolla_libvirt_enable_sasl:
+
 ###############################################################################
 # Extra free-form configuraton.
 
diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
index 04d5e33b31d05d71e348dde1c66439b4de8a96bb..a68273da0d153571d93eabdd6d0048b42343c44d 100644
--- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml
+++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
@@ -397,6 +397,9 @@ enable_{{ feature_flag }}: {{ hostvars[inventory_hostname]['kolla_enable_' ~ fea
 libvirt_tls: {{ kolla_libvirt_tls | bool }}
 {% endif %}
 
+{% if kolla_libvirt_enable_sasl is not none %}
+libvirt_enable_sasl: {{ kolla_libvirt_enable_sasl | bool }}
+{% endif %}
 #################
 # Hyper-V options
 #################
diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst
index 7cda51e2b6025a853b6eb98ec51db16be15b676b..fcc6cb0b357465c66fb1b792e4bc071efb8fc199 100644
--- a/doc/source/configuration/reference/hosts.rst
+++ b/doc/source/configuration/reference/hosts.rst
@@ -1094,6 +1094,12 @@ are relevant only when using the libvirt daemon rather than the
     A dict of configuration options to write to ``/etc/libvirt/qemu.conf``.
     Default is a combination of ``compute_qemu_conf_default`` and
     ``compute_qemu_conf_extra``.
+``compute_libvirt_enable_sasl``
+    Whether to enable libvirt SASL authentication.  Default is the same as
+    ``compute_libvirt_tcp_listen``.
+``compute_libvirt_sasl_password``
+    libvirt SASL password. Default is unset. This must be defined when
+    ``compute_libvirt_enable_sasl`` is ``true``.
 ``compute_libvirt_enable_tls``
     Whether to enable a libvirt TLS listener. Default is false.
 ``compute_libvirt_ceph_repo_install``
@@ -1125,6 +1131,24 @@ To customise QEMU to avoid adding timestamps to logs:
    compute_qemu_conf_extra:
      log_timestamp: 0
 
+Example: SASL
+-------------
+
+SASL authentication is enabled by default.  This provides authentication for
+TCP and TLS connections to the libvirt API. A password is required, and should
+be encrypted using Ansible Vault.
+
+.. code-block:: yaml
+   :caption: ``compute.yml``
+
+   compute_libvirt_sasl_password: !vault |
+     $ANSIBLE_VAULT;1.1;AES256
+     63363937303539373738356236393563636466313130633435353933613637343231303836343933
+     3463623265653030323665383337376462363434396361320a653737376237353261303066616637
+     66613562316533313632613433643537346463303363376664396661343835373033326261383065
+     3731643633656636360a623534313665343066656161333866613338313266613465336332376463
+     3234
+
 Example: enabling libvirt TLS listener
 --------------------------------------
 
diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2
index 864e29b960face9179f6f6a4573045b40a2c2836..db69a00cf77d561564481c44de6cf9ef8ab7fd6d 100644
--- a/playbooks/kayobe-overcloud-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2
@@ -31,6 +31,9 @@ pip_trusted_hosts:
 aio_bridge_ports:
   - dummy1
 
+# Generate a password for libvirt SASL authentication.
+compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}"
+
 # Enable ironic for testing baremetal compute.
 kolla_enable_ironic: true
 
diff --git a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
index 34bf2a29f354999b2f474161ebd5ad9bfffa77dd..fed315141efcc1888d105fff0007ce9df3da3ff1 100644
--- a/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-host-configure-base/overrides.yml.j2
@@ -187,3 +187,6 @@ controller_firewalld_rules:
   - service: cockpit
     state: disabled
     zone: public
+
+# Generate a password for libvirt SASL authentication.
+compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}"
diff --git a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2
index f679ce13504de6171c86eec442f5d398d4e40801..5972bdfd613f8373d25c388cedc0910be513d7ee 100644
--- a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2
+++ b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2
@@ -35,6 +35,9 @@ pip_trusted_hosts:
 aio_bridge_ports:
   - dummy1
 
+# Generate a password for libvirt SASL authentication.
+compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}"
+
 # Enable ironic for testing baremetal compute.
 kolla_enable_ironic: true
 
diff --git a/requirements.yml b/requirements.yml
index 86c7651502d610076554b7655cd1cf7df4b325d8..1818ef1a6b9682a47bbc9ad52f812537694eeb3e 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -32,7 +32,7 @@ roles:
   - src: stackhpc.grafana-conf
     version: 1.1.1
   - src: stackhpc.libvirt-host
-    version: v1.10.0
+    version: v1.11.0
   - src: stackhpc.libvirt-vm
     version: v1.14.2
   - src: stackhpc.luks