diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml
index 37c47bbd58b054a0d55cff55727dca5f3336b108..c09cac06abe97e89be8e3e1dd588b2e8b09e5f61 100644
--- a/ansible/roles/barbican/defaults/main.yml
+++ b/ansible/roles/barbican/defaults/main.yml
@@ -16,12 +16,14 @@ barbican_services:
         external: false
         port: "{{ barbican_api_port }}"
         listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
       barbican_api_external:
         enabled: "{{ enable_barbican }}"
         mode: "http"
         external: true
         port: "{{ barbican_api_port }}"
         listen_port: "{{ barbican_api_listen_port }}"
+        tls_backend: "{{ barbican_enable_tls_backend }}"
   barbican-keystone-listener:
     container_name: barbican_keystone_listener
     group: barbican-keystone-listener
@@ -142,3 +144,8 @@ barbican_ks_roles:
   - "{{ barbican_creator_role }}"
   - "{{ barbican_observer_role }}"
   - "{{ barbican_audit_role }}"
+
+####################
+# TLS
+####################
+barbican_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
diff --git a/ansible/roles/barbican/tasks/config.yml b/ansible/roles/barbican/tasks/config.yml
index 51eb889da79faed885b6e5e9479497f47697fa90..5fbf03172d9bfa6a9f1242b2e82c3ea260838f9c 100644
--- a/ansible/roles/barbican/tasks/config.yml
+++ b/ansible/roles/barbican/tasks/config.yml
@@ -49,7 +49,7 @@
 
 - include_tasks: copy-certs.yml
   when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or barbican_enable_tls_backend | bool
 
 - name: Copying over config.json files for services
   template:
diff --git a/ansible/roles/barbican/templates/barbican-api.ini.j2 b/ansible/roles/barbican/templates/barbican-api.ini.j2
index 302cf98d5858b095d5cf7db6e239ee98279cc6c9..706d9e8d29ec36ad41858e98d4918a5a047ebe6a 100644
--- a/ansible/roles/barbican/templates/barbican-api.ini.j2
+++ b/ansible/roles/barbican/templates/barbican-api.ini.j2
@@ -1,6 +1,9 @@
 [uwsgi]
-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
-protocol = http
+{% if barbican_enable_tls_backend | bool %}
+https-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }},/etc/barbican/certs/barbican-cert.pem,/etc/barbican/certs/barbican-key.pem
+{% else %}
+http-socket = {{ api_interface_address | put_address_in_context('url') }}:{{ barbican_api_listen_port }}
+{% endif %}
 processes = {{ openstack_service_workers }}
 lazy = true
 vacuum = true
diff --git a/ansible/roles/barbican/templates/barbican-api.json.j2 b/ansible/roles/barbican/templates/barbican-api.json.j2
index 79a3ac263b201bbf7145d3365a7c6e27d748cd6f..e28191aae13c77ef854de192e7b7590e16ee17e9 100644
--- a/ansible/roles/barbican/templates/barbican-api.json.j2
+++ b/ansible/roles/barbican/templates/barbican-api.json.j2
@@ -19,7 +19,19 @@
             "owner": "barbican",
             "perm": "0600",
             "optional": true
-        }{% if barbican_policy_file is defined %},
+        }{% if barbican_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/barbican-cert.pem",
+            "dest": "/etc/barbican/certs/barbican-cert.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/barbican-key.pem",
+            "dest": "/etc/barbican/certs/barbican-key.pem",
+            "owner": "barbican",
+            "perm": "0600"
+        }{% endif %}{% if barbican_policy_file is defined %},
         {
             "source": "{{ container_config_directory }}/{{ barbican_policy_file }}",
             "dest": "/etc/barbican/{{ barbican_policy_file }}",
diff --git a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
index bfe710a8b19777da31892611a407620b14663e4a..72bb2880171d4e8226c1799cdd81317d4eaadf86 100644
--- a/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
+++ b/releasenotes/notes/encrypt-backend-haproxy-fb96285d74fb464c.yaml
@@ -2,7 +2,7 @@
 features:
   - |
     Added configuration options to enable backend TLS encryption from HAProxy
-    to the Keystone, Glance, Heat, Placement, Horizon, and Cinder services.
-    When used in conjunction with enabling TLS for service API endpoints,
-    network communcation will be encrypted end to end, from client through
-    HAProxy to the backend service.
+    to the Keystone, Glance, Heat, Placement, Horizon, Barbican, and Cinder
+    services. When used in conjunction with enabling TLS for service API
+    endpoints, network communcation will be encrypted end to end, from client
+    through HAProxy to the backend service.