diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index d6f35f61b9fcd616702e2bfbb304ec845129bc6a..34b3ccd6a8ad8826f6d15ed1143446e794707df8 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -442,6 +442,13 @@ ceilometer_database_type: "mongodb"
 ceilometer_event_type: "mongodb"
 
 
+#######################
+# Barbican options
+#######################
+# Valid options are [ simple_crypto, p11_crypto ]
+barbican_crypto_plugin: "simple_crypto"
+barbican_library_path: "/usr/lib/libCryptoki2_64.so"
+
 ########################
 ### Panko options
 ########################
diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2
index c3515938bc744907195b93f3f8b6a4307d6dd12e..a5616a560bfec5c01a08aebb90180513e400bc3a 100644
--- a/ansible/roles/barbican/templates/barbican.conf.j2
+++ b/ansible/roles/barbican/templates/barbican.conf.j2
@@ -2,7 +2,6 @@
 debug = {{ barbican_logging_debug }}
 log_dir = /var/log/kolla/barbican
 
-
 bind_port = {{ barbican_api_port }}
 bind_host = {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}
 host_href = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}
@@ -23,11 +22,12 @@ enabled_secretstore_plugins = store_crypto
 # ================= Crypto plugin ===================
 [crypto]
 namespace = barbican.crypto.plugin
-enabled_crypto_plugins = p11_crypto
+enabled_crypto_plugins = {{ barbican_crypto_plugin }}
 
+{% if barbican_crypto_plugin == 'p11_crypto' %}
 [p11_crypto_plugin]
 # Path to vendor PKCS11 library
-library_path = '/usr/lib/libCryptoki2_64.so'
+library_path = {{ barbican_library_path }}
 # Password to login to PKCS11 session
 login = '{{ barbican_p11_password }}'
 # Label to identify master KEK in the HSM (must not be the same as HMAC label)
@@ -36,6 +36,12 @@ mkek_label = 'kolla_master_kek'
 mkek_length = 32
 # Label to identify HMAC key in the HSM (must not be the same as MKEK label)
 hmac_label = 'kolla_hmac'
+{% endif %}
+{% if barbican_crypto_plugin == 'simple_crypto' %}
+[simple_crypto_plugin]
+# the kek should be a 32-byte value which is base64 encoded
+kek = '{{ barbican_crypto_password }}'
+{% endif %}
 
 
 [keystone_notifications]
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index afa6dba6dec23f17b64eaf99e85d973d5db870bf..d3d1cbb58467b4eee96afcb95de22a39172bf169 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -241,6 +241,14 @@ kolla_internal_vip_address: "10.10.10.254"
 # Valid options are [ mongodb, gnocchi, panko ]
 #ceilometer_event_type: "mongodb"
 
+
+#######################
+# Barbican options
+#######################
+# Valid options are [ simple_crypto, p11_crypto ]
+#barbican_crypto_plugin: "simple_crypto"
+#barbican_library_path: "/usr/lib/libCryptoki2_64.so"
+
 #######################
 ## Panko options
 #######################
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index dec1a22a0e27b099d4eacd181c6244a2af5d4889..50262c1dfb19b7ef0f5c76bb8c9bd605769c767e 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -30,6 +30,8 @@ aodh_keystone_password:
 barbican_database_password:
 barbican_keystone_password:
 barbican_p11_password:
+barbican_crypto_key:
+
 
 keystone_admin_password:
 keystone_database_password:
diff --git a/kolla_ansible/cmd/genpwd.py b/kolla_ansible/cmd/genpwd.py
index cfd3319c434985c74065801fe1245e727d626361..34d4c713cf43caa26f5e9a85c0c1d5719857b15f 100755
--- a/kolla_ansible/cmd/genpwd.py
+++ b/kolla_ansible/cmd/genpwd.py
@@ -21,6 +21,7 @@ import sys
 
 from Crypto.PublicKey import RSA
 from hashlib import md5
+from hashlib import sha256
 from oslo_utils import uuidutils
 import yaml
 
@@ -70,6 +71,9 @@ def main():
     # HMAC-MD5 keys
     hmac_md5_keys = ['designate_rndc_key']
 
+    # HMAC-SHA256 keys
+    hmac_sha256_keys = ['barbican_crypto_key']
+
     # length of password
     length = 40
 
@@ -96,6 +100,10 @@ def main():
                 passwords[k] = (hmac.new(
                     uuidutils.generate_uuid(), '', md5)
                     .digest().encode('base64')[:-1])
+            elif k in hmac_sha256_keys:
+                passwords[k] = (hmac.new(
+                    uuidutils.generate_uuid(), '', sha256)
+                    .digest().encode('base64')[:-1])
             else:
                 passwords[k] = ''.join([
                     random.SystemRandom().choice(